Package: libclamunrar Version: 0.96.4-1 Severity: serious Tags: security pending
The debian security tracker references a problem ("clamav: double-free error libclamunrar_iface/unrar_iface.c") which it learned from http://www.openwall.com/lists/oss-security/2013/11/29/6 This got marked as fixed in Debian because the Clamav version we use a high enough version. However the file / part of code is not used from the clamav package but from the libclamunrar package instead. It is split into another package due to the non-free license of the unrar code. To double check, the report mentions the file unrar_iface.c. If you check the buildlog of the clamav package you won't find it together with gcc. If you check libclamunrar's buildlog then you will see it. Also if you check libclamunrar_iface.so.6.1.20 you will find the function named libclamunrar_iface_LTX_unrar_extract_next_prepare which is part of the libclamunrar package. To conclude: this problem as such is still not fixed in Wheezy. The only clamunrar related change between 0.98.1-1 and 0.98.5-1 is a memory leak fix in read_block(). For that reason and to keep it in sync with the clamav package I would prefer to have the 0.98.5 version in Wheezy. Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org