Hi Ged, The UnRAR CVE was a driver for getting out the bug fixes sooner than later. For 0.105.0 there were a couple other bad bugs we really wanted to fix, notably the ERROR response from files where a fuzzy image hash fails.
That said, I don't believe the UnRAR CVE issue is a serious security issue in Clam. Unless you use clamscan's `--leave-temps` option, (or clamd `LeaveTemporaryFiles yes` config option), then files extracted from RAR archives are assigned randomly generated filenames and so path traversal isn't a concern. If you do have the "leave temps" feature enabled, which you wouldn't for production, the temporary file still gets a random suffix added, so it can't be used to replace a specific file or directory. There may still be some risk there, but significantly mitigated. I left notes from my investigation on this issue if you're interested: https://github.com/Cisco-Talos/clamav/issues/580#issuecomment-1192043905 Regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-devel <clamav-devel-boun...@lists.clamav.net> on behalf of G.W. Haywood <clamav-de...@jubileegroup.co.uk> Sent: Wednesday, July 27, 2022 6:31 AM To: clamav-devel@lists.clamav.net <clamav-devel@lists.clamav.net> Subject: Re: [Clamav-devel] ClamAV 0.103.7, 0.104.1 and 0.105.1 patch versions published Hi there, On Wed, 27 Jul 2022, Micah Snyder wrote: > Today, we are releasing the following critical patch versions: I haven't been able to find the details, but presumably this is to fix CVE-2022-30333 in unrar? -- 73, Ged. _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
