Almost seems benign according to the upstream changelog: "a security issue involving out of bounds write is fixed in RAR4 recovery volumes processing code. We are thankful to goodbyeselene working with Trend Micro Zero Day Initiative for letting us know about this bug;" ZDI advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-1152/ "This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file." I haven't seen any information about whether this affects other RAR unpackers.
GLSA vote: yes
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3f97fbbdcd3a42d36e9bc91731f3b8dd278a9393 commit 3f97fbbdcd3a42d36e9bc91731f3b8dd278a9393 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-09-17 05:31:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-17 05:31:48 +0000 [ GLSA 202309-04 ] RAR, UnRAR: Add CVE-2023-40477 too Bug: https://bugs.gentoo.org/912652 Signed-off-by: Sam James <sam@gentoo.org> glsa-202309-04.xml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=aa3a7cb5bcee7cc0d61e80a9bfed7daeeec89ba3 commit aa3a7cb5bcee7cc0d61e80a9bfed7daeeec89ba3 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-09-17 05:41:22 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-17 05:41:22 +0000 [ GLSA 202309-04 ] RAR, UnRAR: Update resolution Bug: https://bugs.gentoo.org/912652 Signed-off-by: Sam James <sam@gentoo.org> glsa-202309-04.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
