unrar-gpl shares code from libclamav, thus is also affected by CVE-2008-1837. I can't reproduce the issue on current cvs snapshot (just committed), thus I assume it's safe, although it hasn't seen any updates recently.
amd64/x86 stable, last arches.
Hanno, can you please confirm that this is actually fixed? What makes me wonder is that the last CVS commit is 7 months old, and the latest affected clamav version was released only 2 months ago.
rbu, I'm not really sure, I was wondering the same. I wrote to the clamav-dev asking for the samples and he sent me three rar-files crashing clamav < 0.93. All three don't crash latest unrar (while they crash the older snapshot), so from my tests they are safe. I don't have an explanation for that though.
If you still have contact upstream, you could ask for the patch fixing CVE-2008-1837.
Hanno: The only difference between the two versions you tried was removing "unrar30" code, which is removed from the upstream libclamav for some time. The diff that is called "check in 0.93 patches" is this: http://svn.clamav.net/websvn/comp.php?repname=clamav-devel&path=&compare%5B%5D=%2Ftrunk%2Flibclamunrar%2F@3787&compare%5B%5D=%2Ftrunk%2Flibclamunrar%2F@3788
any news here?
revisiting this bug I noticed that the libclamav code is actually not used within unrar-gpl. The unrar20.* unrar15.* and unrar29.* files are derived from libclamav, but you can simply delete them without any effect. The rar code actually used is the one from unrarlib.