Hi, I am going to 0-day NMU this package. The attached patch fixes the problem. It will be also archived on: http://people.debian.org/~nion/nmu-diff/unrar-nonfree-3.7.3-1_3.7.3-1.1.patch
Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u unrar-nonfree-3.7.3/debian/changelog unrar-nonfree-3.7.3/debian/changelog
--- unrar-nonfree-3.7.3/debian/changelog
+++ unrar-nonfree-3.7.3/debian/changelog
@@ -1,3 +1,11 @@
+unrar-nonfree (1:3.7.3-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by testing security team.
+ * Fixed integer signedness error in SET_VALUE function in
+ rarvm.cpp (CVE-2007-3726) (Closes: #437703).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Thu, 06 Sep 2007 13:30:31 +0200
+
unrar-nonfree (1:3.7.3-1) unstable; urgency=high
* New upstream release (Closes: #410580)
only in patch2:
unchanged:
--- unrar-nonfree-3.7.3.orig/rarvm.cpp
+++ unrar-nonfree-3.7.3/rarvm.cpp
@@ -843,7 +843,7 @@
int DataSize=R[4];
uint FileOffset=R[6];
- if (DataSize>=VM_GLOBALMEMADDR)
+ if ((DataSize>=VM_GLOBALMEMADDR) || (DataSize<4))
break;
const int FileSize=0x1000000;
@@ -889,7 +889,7 @@
int DataSize=R[4];
uint FileOffset=R[6];
- if (DataSize>=VM_GLOBALMEMADDR)
+ if ((DataSize>=VM_GLOBALMEMADDR) || (DataSize<21))
break;
uint CurPos=0;
pgpnnoUd7VquD.pgp
Description: PGP signature

