Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: unrar-nonf...@packages.debian.org, t...@security.debian.org, yokota.h...@gmail.com Control: affects -1 + src:unrar-nonfree
[ Reason ] To fix CVE-2023-40477. CVE-2023-40477 was fixed in unrar-nonfree 6.2.9-1 that already released for trixie/sid. [ Impact ] If not fixed, it allows remote attackers to execute arbitrary code. [ Tests ] There are no test case for CVE-2023-40477. Debian autopkgtest for normal operation was passed. [ Risks ] There are no test case for CVE-2023-40477. I can't confirm the bug was fixed. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Apply upstream fix in UnRAR 6.2.9 to unrar-nonfree 6.2.6-1 that in bookworm. Debdiff canbe examine from online: https://github.com/debian-calibre/unrar- nonfree/compare/debian/1%256.2.6-1...debian/1%256.2.6-1+deb12u1 [ Other info ] * RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability https://www.zerodayinitiative.com/advisories/ZDI-23-1152/ * WinRAR 6.23 final released https://www.win- rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
diff -Nru unrar-nonfree-6.2.6/debian/changelog unrar-nonfree-6.2.6/debian/changelog --- unrar-nonfree-6.2.6/debian/changelog 2023-02-23 12:31:56.000000000 +0900 +++ unrar-nonfree-6.2.6/debian/changelog 2023-08-26 16:27:26.000000000 +0900 @@ -1,3 +1,9 @@ +unrar-nonfree (1:6.2.6-1+deb12u1) bookworm; urgency=medium + + * Fix CVE-2023-40477 + + -- YOKOTA Hiroshi <yokota.h...@gmail.com> Sat, 26 Aug 2023 16:27:26 +0900 + unrar-nonfree (1:6.2.6-1) unstable; urgency=medium * New upstream version 6.2.6 diff -Nru unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch --- unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch 1970-01-01 09:00:00.000000000 +0900 +++ unrar-nonfree-6.2.6/debian/patches/0015-CVE-2023-40477.patch 2023-08-26 16:27:26.000000000 +0900 @@ -0,0 +1,106 @@ +From: YOKOTA Hiroshi <yokota.h...@gmail.com> +Date: Fri, 21 Jul 2023 00:33:42 +0900 +Subject: CVE-2023-40477 + +--- + getbits.cpp | 8 ++++---- + pathfn.cpp | 2 +- + recvol3.cpp | 11 +++++++++-- + secpassword.cpp | 8 ++++---- + 4 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/getbits.cpp b/getbits.cpp +index 8805f27..5d5ad2b 100644 +--- a/getbits.cpp ++++ b/getbits.cpp +@@ -5,11 +5,11 @@ BitInput::BitInput(bool AllocBuffer) + ExternalBuffer=false; + if (AllocBuffer) + { +- // getbits*() attempt to read data from InAddr, ... InAddr+3 positions. +- // So let's allocate 3 additional bytes for situation, when we need to ++ // getbits*() attempt to read data from InAddr, ... InAddr+4 positions. ++ // So let's allocate 4 additional bytes for situation, when we need to + // read only 1 byte from the last position of buffer and avoid a crash +- // from access to next 3 bytes, which contents we do not need. +- size_t BufSize=MAX_SIZE+3; ++ // from access to next 4 bytes, which contents we do not need. ++ size_t BufSize=MAX_SIZE+4; + InBuf=new byte[BufSize]; + + // Ensure that we get predictable results when accessing bytes in area +diff --git a/pathfn.cpp b/pathfn.cpp +index 49d16a8..7a54354 100644 +--- a/pathfn.cpp ++++ b/pathfn.cpp +@@ -746,7 +746,7 @@ static void GenArcName(wchar *ArcName,size_t MaxSize,const wchar *GenerateMask,u + // Here we ensure that we have enough 'N' characters to fit all digits + // of archive number. We'll replace them by actual number later + // in this function. +- if (NCount<Digits) ++ if (NCount<Digits && wcslen(Mask)+Digits-NCount<ASIZE(Mask)) + { + wmemmove(Mask+I+Digits,Mask+I+NCount,wcslen(Mask+I+NCount)+1); + wmemset(Mask+I,'N',Digits); +diff --git a/recvol3.cpp b/recvol3.cpp +index ecf6dd3..0138d0f 100644 +--- a/recvol3.cpp ++++ b/recvol3.cpp +@@ -226,7 +226,7 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent) + if (WrongParam) + continue; + } +- if (P[1]+P[2]>255) ++ if (P[0]<=0 || P[1]<=0 || P[2]<=0 || P[1]+P[2]>255 || P[0]+P[2]-1>255) + continue; + if (RecVolNumber!=0 && RecVolNumber!=P[1] || FileNumber!=0 && FileNumber!=P[2]) + { +@@ -238,7 +238,14 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent) + wcsncpyz(PrevName,CurName,ASIZE(PrevName)); + File *NewFile=new File; + NewFile->TOpen(CurName); +- SrcFile[FileNumber+P[0]-1]=NewFile; ++ ++ // This check is redundant taking into account P[I]>255 and P[0]+P[2]-1>255 ++ // checks above. Still we keep it here for better clarity and security. ++ int SrcPos=FileNumber+P[0]-1; ++ if (SrcPos<0 || SrcPos>=ASIZE(SrcFile)) ++ continue; ++ SrcFile[SrcPos]=NewFile; ++ + FoundRecVolumes++; + + if (RecFileSize==0) +diff --git a/secpassword.cpp b/secpassword.cpp +index 42ed47d..08da549 100644 +--- a/secpassword.cpp ++++ b/secpassword.cpp +@@ -70,7 +70,7 @@ void SecPassword::Clean() + { + PasswordSet=false; + if (Password.size()>0) +- cleandata(&Password[0],Password.size()); ++ cleandata(&Password[0],Password.size()*sizeof(Password[0])); + } + + +@@ -141,7 +141,7 @@ size_t SecPassword::Length() + wchar Plain[MAXPASSWORD]; + Get(Plain,ASIZE(Plain)); + size_t Length=wcslen(Plain); +- cleandata(Plain,ASIZE(Plain)); ++ cleandata(Plain,sizeof(Plain)); + return Length; + } + +@@ -156,8 +156,8 @@ bool SecPassword::operator == (SecPassword &psw) + Get(Plain1,ASIZE(Plain1)); + psw.Get(Plain2,ASIZE(Plain2)); + bool Result=wcscmp(Plain1,Plain2)==0; +- cleandata(Plain1,ASIZE(Plain1)); +- cleandata(Plain2,ASIZE(Plain2)); ++ cleandata(Plain1,sizeof(Plain1)); ++ cleandata(Plain2,sizeof(Plain2)); + return Result; + } + diff -Nru unrar-nonfree-6.2.6/debian/patches/series unrar-nonfree-6.2.6/debian/patches/series --- unrar-nonfree-6.2.6/debian/patches/series 2023-02-23 12:31:56.000000000 +0900 +++ unrar-nonfree-6.2.6/debian/patches/series 2023-08-26 16:27:26.000000000 +0900 @@ -12,3 +12,4 @@ 0012-Add-PHONY-target.patch 0013-Add-newline-after-error-message-Closes-774166.patch 0014-Compiler-warning-fix.patch +0015-CVE-2023-40477.patch