Bug 32205

Summary: unrar new security issue CVE-2023-40477
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: unrar-6.21-1.mga9.nonfree.src.rpm CVE:
Status comment:

Description Nicolas Salguero 2023-08-29 17:17:51 CEST 
A CVE has been issued for a security issue in unrar:
https://www.debian.org/lts/security/2023/dla-3535

The issue is fixed upstream in 6.2.10.

Mageia 8 and 9 are also affected.
Nicolas Salguero 2023-08-29 17:18:25 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO
Assignee: bugsquad => nicolas.salguero
Source RPM: (none) => unrar-6.21-1.mga9.nonfree.src.rpm

Comment 1 Nicolas Salguero 2023-08-31 14:34:02 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. (CVE-2023-40477)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40477
https://www.debian.org/lts/security/2023/dla-3535
========================

Updated package in 8/core/updates_testing:
========================
unrar-6.23-1.mga8.nonfree

from SRPM:
unrar-6.23-1.mga8.nonfree.src.rpm

Updated package in 9/core/updates_testing:
========================
unrar-6.23-1.mga9.nonfree

from SRPM:
unrar-6.23-1.mga9.nonfree.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

PC LX 2023-08-31 16:48:22 CEST

CC: (none) => mageia

Comment 2 Herman Viaene 2023-09-04 15:22:47 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Loaded sample from https://getsamplefiles.com/sample-archive-files/rar
tested with engrampa and 
$ unrar e sample-3.rar 

UNRAR 6.23 freeware      Copyright (c) 1993-2023 Alexander Roshal


Extracting from sample-3.rar

Extracting  iphone-7-leaked-2017-ringtone-852 (1).mp4                 OK 
All OK
In both cases the resulting mp4 file plays OK.
Ref also bug 21563, using the attached file and check the contents
$ unrar e test.rar 

UNRAR 6.23 freeware      Copyright (c) 1993-2023 Alexander Roshal


Extracting from test.rar

Extracting  test.sha256                                               OK 
Extracting  test_9.bin                                                OK 
Extracting  test_8.bin                                                OK 
Extracting  test_7.bin                                                OK 
Extracting  test_6.bin                                                OK 
Extracting  test_5.bin                                                OK 
Extracting  test_4.bin                                                OK 
Extracting  test_3.bin                                                OK 
Extracting  test_2.bin                                                OK 
Extracting  test_1.bin                                                OK 
Extracting  test_0.bin                                                OK 
All OK
[tester8@mach7 Documents]$ sha256sum --check test.sha256
test_0.bin: OK
test_1.bin: OK
test_2.bin: OK
test_3.bin: OK
test_4.bin: OK
test_5.bin: OK
test_6.bin: OK
test_7.bin: OK
test_8.bin: OK
test_9.bin: OK
Good enough for me

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 3 Thomas Andrews 2023-09-11 03:00:18 CEST 
MGA9-64 Plasma, i5-2500, Intel graphics.

No installation issues. Used Herman's link to download a different sample rar file:

$ unrar e sample-4.rar 

UNRAR 6.23 freeware      Copyright (c) 1993-2023 Alexander Roshal


Extracting from sample-4.rar

Extracting  romantic-2018-ringtone-300.mp3                            OK 
All OK

Validating. Advisory in comment 1.

Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-09-11 03:18:47 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2023-09-11 15:09:48 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0258.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED