Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622342 - <app-arch/unrar-5.5.5-r1: VMSF_DELTA filter in unrar allows arbitrary memory write (CVE-2012-6706)
Summary: <app-arch/unrar-5.5.5-r1: VMSF_DELTA filter in unrar allows arbitrary memory ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.chromium.org/p/project-z...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 628182
Blocks: CVE-2012-6706
  Show dependency tree
 
Reported: 2017-06-20 19:06 UTC by Hanno Böck
Modified: 2017-10-02 04:29 UTC (History)
3 users (show)

See Also:
Package list:
app-arch/unrar-5.5.5-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-06-20 19:06:43 UTC
Found by project zero:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1286&can=1&q=unrar&desc=6

Upstream version 5.5.5 contains the fix. We may have to check what other apps bundle unrar (e.g. clamav).
Comment 1 Thomas Deutschmann gentoo-dev 2017-06-21 11:48:57 UTC
Now in repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dabe9845e2f4b38d214b8cc1e27f0a43680eb39c

UnRAR v5.5.5 is RAR 5.50 beta 4 so app-arch/rar is probably affected as well.


@ Arches,

please test and mark stable: =app-arch/unrar-5.5.5
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-21 12:10:08 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-21 12:12:23 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Thomas Deutschmann gentoo-dev 2017-06-21 12:22:49 UTC
Repository is now clean (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f84896cce4b495bcf147fd493e815d5106f7aa76).

New GLSA request filed.
Comment 5 Thomas Deutschmann gentoo-dev 2017-06-21 13:27:30 UTC
Oops, we need more than just amd64/x86 -- mixed with app-arch/rar.


@ Arches,

please test and mark stable: =app-arch/unrar-5.5.5
Comment 6 Thomas Deutschmann gentoo-dev 2017-06-21 15:12:14 UTC
Package was rev bumped to downgrade EAPI back to EAPI=5. So please continue with =app-arch/unrar-5.5.5-r1.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-26 20:21:02 UTC
Stable on alpha.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-30 07:47:57 UTC
ia64 stable
Comment 9 Markus Meier gentoo-dev 2017-07-07 06:17:14 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-07-07 09:10:44 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-07-07 13:25:51 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-07-07 14:51:22 UTC
ppc64 stable
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2017-08-02 03:16:50 UTC
Arches or maintainers please stabilize for hppa ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable.
Comment 14 Thomas Deutschmann gentoo-dev 2017-08-18 14:52:17 UTC
Superseded by bug 628182.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-08-21 01:14:44 UTC
This issue was resolved and addressed in
 GLSA 201708-05 at https://security.gentoo.org/glsa/201708-05
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann gentoo-dev 2017-08-21 01:15:38 UTC
Re-opening because hppa wasn't done yet.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-09-25 21:50:17 UTC
This issue was resolved and addressed in
 GLSA 201709-24 at https://security.gentoo.org/glsa/201709-24
by GLSA coordinator Aaron Bauman (b-man).