Your message dated Sun, 30 Nov 2014 23:17:05 +0000
with message-id <e1xvdjl-0007so...@franck.debian.org>
and subject line Bug#770647: fixed in libclamunrar 0.98.5-0+deb7u1
has caused the Debian Bug report #770647,
regarding double free in libclamunrar_iface + memory leak in read_block()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
770647: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770647
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libclamunrar
Version: 0.96.4-1
Severity: serious
Tags: security pending
The debian security tracker references a problem ("clamav: double-free
error libclamunrar_iface/unrar_iface.c") which it learned from
http://www.openwall.com/lists/oss-security/2013/11/29/6
This got marked as fixed in Debian because the Clamav version we use a
high enough version. However the file / part of code is not used from
the clamav package but from the libclamunrar package instead. It is
split into another package due to the non-free license of the unrar code.
To double check, the report mentions the file unrar_iface.c. If you
check the buildlog of the clamav package you won't find it together with
gcc. If you check libclamunrar's buildlog then you will see it. Also if
you check libclamunrar_iface.so.6.1.20 you will find the function named
libclamunrar_iface_LTX_unrar_extract_next_prepare which is part of the
libclamunrar package.
To conclude: this problem as such is still not fixed in Wheezy.
The only clamunrar related change between 0.98.1-1 and 0.98.5-1 is a
memory leak fix in read_block(). For that reason and to keep it in sync
with the clamav package I would prefer to have the 0.98.5 version in Wheezy.
Sebastian
--- End Message ---
--- Begin Message ---
Source: libclamunrar
Source-Version: 0.98.5-0+deb7u1
We believe that the bug you reported is fixed in the latest version of
libclamunrar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated
libclamunrar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 25 Nov 2014 22:01:13 +0100
Source: libclamunrar
Binary: libclamunrar6
Architecture: source amd64
Version: 0.98.5-0+deb7u1
Distribution: stable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Description:
libclamunrar6 - anti-virus utility for Unix - unrar support
Closes: 727917 741080 770647
Changes:
libclamunrar (0.98.5-0+deb7u1) stable; urgency=medium
.
[ Sebastian Andrzej Siewior ]
* Update to new upstream version.
- Finaly address "double-free error exists within the
unrar_extract_next_prepare()" (Closes: #770647)
* redo rules files to something smaller like we do have in the clamav
package.
* Do autoreconf before configure (closes: #727917).
* Enable hardened build flags (closes: #741080).
* Remove all .la files (clamd works without them).
* Add VCS-* tags.
* Add myself as uploader.
* Remove *.so files (lintian warning).
* Add a symbol file.
* Bumb standards version to 3.9.1 after made the required changes.
* Drop automake workaround, the bug was fixed.
* Fix LFS support using the same approach as clamav for compatibility and
correctness
.
[ Scott Kitterman ]
* Add build-dep on libssl-dev, needed for configure even if not used
in libclamunrar
* Update debian/copyright to add openssl exception per COPYING
Checksums-Sha1:
823ce7b6fc5a60542c99cbae87679e3d1733585a 2147 libclamunrar_0.98.5-0+deb7u1.dsc
6d4a3441e142002ffdaa76ad313bc018985e1999 304828 libclamunrar_0.98.5.orig.tar.xz
5fcac87cba7af54f5cfeb6885e078b8c0b2e59fd 4861
libclamunrar_0.98.5-0+deb7u1.debian.tar.gz
f498b377a3d6e11e09394b9166c739bf4b820378 37528
libclamunrar6_0.98.5-0+deb7u1_amd64.deb
Checksums-Sha256:
a772861a6d5af5aa6a82c3067d151666da2ba03291397de121b2084672713cbc 2147
libclamunrar_0.98.5-0+deb7u1.dsc
3d957d584bee260f11c7b5b211899c4cacfffffc3849b1d0485b3f21eb2d4aac 304828
libclamunrar_0.98.5.orig.tar.xz
228bed62ed05e476d3fc60d1964329a484a20cdd53a9da555ed739545a109526 4861
libclamunrar_0.98.5-0+deb7u1.debian.tar.gz
c1e0d6d8ce87537c69123f5aceee3e12199e4feac6f0d3b451849777452c2b7b 37528
libclamunrar6_0.98.5-0+deb7u1_amd64.deb
Files:
e608b1092012e0e14d5bd9096d395fd0 2147 non-free/libs extra
libclamunrar_0.98.5-0+deb7u1.dsc
ecd3acdec22118338d3d5fbe41fba011 304828 non-free/libs extra
libclamunrar_0.98.5.orig.tar.xz
2a20306cd7a65c453b38d8192b151604 4861 non-free/libs extra
libclamunrar_0.98.5-0+deb7u1.debian.tar.gz
9a742fd59ef81b2736e5b2080c220e7f 37528 non-free/libs extra
libclamunrar6_0.98.5-0+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUdPRIAAoJEHjX3vua1ZrxgKoQANZGdMBzNmlxsWx6Egrg8U8+
m7o2exnd9l54bYT4jizKfDfpQrCnHd1kZ3AFqEhazQVuDm6uo5pKjNSwzv6n71mT
Y6yTxg8U5JE3r5glEdzfzDJbwsglNZ5tNlT99r+HBkjqZVMr+hBTJDfDbNqtzb/w
e3uBvGrhGUr+RomvoyGDFpqe6aeO3YaxCF/81ygRlqmYKf+v+SBWxjK/KtBG4cTy
mhEtAAwCkOjiPCsITneBYh6MBtpZiP9BMK5li3DUVM6l76sl4K2VwkD92S39b+hs
rPCvkKGz1bALsk19vemvubFDnG9SyrO3E5V/X0UlAvtd/spRtMWy0oK0cr0szGpJ
dMn6/OJNYFsUnwakb/sZeMnnFdOueq90BJ5POwa3mDCsn3AcrUNmQqr0GyTZQmqW
96202GJz6/b9Uo0Hucj6xqyv2UUz/WFPKewN4BWLYSKLlnvQZYq0idoBiFeBvZhz
NtPVyqvHHdypHU5J0o3fi4l56nwEcv4z2z5Vu7/KEODQ2HxRZYgI0jel97yHcHdw
GQjPKpuK9NEpEcVbsOKO099uR5eRxUusk7bLVPjovwske27yj39L8xTEoMcoh20G
Sd1xReFc8aa41kob4D+6y1Sz8duMeM5lisrRZGEtW5pBzx2mewGtWlo5t7r3cWvH
5Yat6Uu22uiutN4W8N1D
=twUb
-----END PGP SIGNATURE-----
--- End Message ---
