See: http://www.openwall.com/lists/oss-security/2017/08/20/1 unrar-gpl suffers from multiple security issues, notably from a trivial directory traversal vulnerability. It is unmaintained upstream and not very useful these days (only supports old rarv2 files that are barely used these days, with libarchive another free rar unpacker that is much better maintained is available). Unless someone objects I'll probably just last-rite the package (I'm the Gentoo maintainer of it).
Hanno, is this your own work or related to bug 628178 aka http://seclists.org/oss-sec/2017/q3/290?
@Thomas: This is unrelated. unrar and unrar-gpl have an independent codebase. unrar is a non-free (but source available) tool from RAR upstream, unrar-gpl is a no longer maintained free alternative. bug 628178 is about the non-free unrar.
Update: (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14120) unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a directory traversal vulnerability for RAR v2 archives: pathnames of the form ../[filename] are unpacked into the upper directory. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14121 The DecodeNumber function in unrarlib.c in unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a NULL pointer dereference flaw triggered by a specially crafted RAR archive. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14122 unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a stack-based buffer over-read in unrarlib.c, related to ExtrFile and stricomp. @maintainer, I'm updating on your report for the cve reference, and noting that upstream is unresponsive or just not interested in package. It's your call to what happens next. Daj'Uan (jmbailey/mbailey_j) Gentoo Security Padawan
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e37ce8b9eae1785939058f0d5af4d2e3422b5cc commit 4e37ce8b9eae1785939058f0d5af4d2e3422b5cc Author: Michael Mair-Keimberger <m.mairkeimberger@gmail.com> AuthorDate: 2018-04-29 08:23:49 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-05-05 01:43:53 +0000 app-arch/unrar-gpl: treeclean Closes: https://bugs.gentoo.org/628432 Closes: https://github.com/gentoo/gentoo/pull/8196 app-arch/unrar-gpl/Manifest | 1 - .../unrar-gpl/files/unrar-gpl-0.0.1-solaris.patch | 63 ---------------------- app-arch/unrar-gpl/metadata.xml | 7 --- .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r1.ebuild | 24 --------- .../unrar-gpl/unrar-gpl-0.0.1_p20080417-r2.ebuild | 32 ----------- profiles/package.mask | 5 -- 6 files changed, 132 deletions(-)