Your message dated Sun, 23 Nov 2014 05:18:46 +0000 with message-id <[email protected]> and subject line Bug#770647: fixed in libclamunrar 0.98.5-1 has caused the Debian Bug report #770647, regarding double free in libclamunrar_iface + memory leak in read_block() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 770647: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770647 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libclamunrar Version: 0.96.4-1 Severity: serious Tags: security pending The debian security tracker references a problem ("clamav: double-free error libclamunrar_iface/unrar_iface.c") which it learned from http://www.openwall.com/lists/oss-security/2013/11/29/6 This got marked as fixed in Debian because the Clamav version we use a high enough version. However the file / part of code is not used from the clamav package but from the libclamunrar package instead. It is split into another package due to the non-free license of the unrar code. To double check, the report mentions the file unrar_iface.c. If you check the buildlog of the clamav package you won't find it together with gcc. If you check libclamunrar's buildlog then you will see it. Also if you check libclamunrar_iface.so.6.1.20 you will find the function named libclamunrar_iface_LTX_unrar_extract_next_prepare which is part of the libclamunrar package. To conclude: this problem as such is still not fixed in Wheezy. The only clamunrar related change between 0.98.1-1 and 0.98.5-1 is a memory leak fix in read_block(). For that reason and to keep it in sync with the clamav package I would prefer to have the 0.98.5 version in Wheezy. Sebastian
--- End Message ---
--- Begin Message ---Source: libclamunrar Source-Version: 0.98.5-1 We believe that the bug you reported is fixed in the latest version of libclamunrar, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <[email protected]> (supplier of updated libclamunrar package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 22 Nov 2014 22:25:35 +0100 Source: libclamunrar Binary: libclamunrar6 Architecture: source i386 Version: 0.98.5-1 Distribution: unstable Urgency: medium Maintainer: ClamAV Team <[email protected]> Changed-By: Sebastian Andrzej Siewior <[email protected]> Description: libclamunrar6 - anti-virus utility for Unix - unrar support Closes: 770647 Changes: libclamunrar (0.98.5-1) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * Update to new upstream version. - Finaly address "double-free error exists within the unrar_extract_next_prepare()" (Closes: #770647) * Drop automake workaround, the bug was fixed. * Fix LFS support using the same approach as clamav for compatibility and correctness . [ Scott Kitterman ] * Add build-dep on libssl-dev, needed for configure even if not used in libclamunrar * Update debian/copyright to add openssl exception per COPYING Checksums-Sha1: e838e38e561a3138ab232591247d37cb1b81f1c6 2124 libclamunrar_0.98.5-1.dsc 6d4a3441e142002ffdaa76ad313bc018985e1999 304828 libclamunrar_0.98.5.orig.tar.xz 66ac3c83ff3fe33d471862f399f5d1e96c09d749 4676 libclamunrar_0.98.5-1.debian.tar.xz 451fd25e0b73e90d002b61b1fbd02f698379217d 33906 libclamunrar6_0.98.5-1_i386.deb Checksums-Sha256: 2bc9a40a08dcad1c2a45964165cf4d41685d89fba817836a0eb0750a483eb595 2124 libclamunrar_0.98.5-1.dsc 3d957d584bee260f11c7b5b211899c4cacfffffc3849b1d0485b3f21eb2d4aac 304828 libclamunrar_0.98.5.orig.tar.xz ad8fe1d1b895d2779ce0be4c469d971ec66fce0876ccad31a8a13af44cd01553 4676 libclamunrar_0.98.5-1.debian.tar.xz 7c8641cb9bb064fea19e59a5a3dd68a1ead0a1c013d18d020c3a8eb3ca91b326 33906 libclamunrar6_0.98.5-1_i386.deb Files: f9df12c8f3adf55a228da6b856d13c28 2124 non-free/libs extra libclamunrar_0.98.5-1.dsc ecd3acdec22118338d3d5fbe41fba011 304828 non-free/libs extra libclamunrar_0.98.5.orig.tar.xz 82f622806aff1d1b07d02afd7be9fad0 4676 non-free/libs extra libclamunrar_0.98.5-1.debian.tar.xz 7ecd162969323c59d7bde3b9ee374b5b 33906 non-free/libs extra libclamunrar6_0.98.5-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUcWpgAAoJEHjX3vua1ZrxSWMP/01KEQNvvRajIMuAYf7AEcvQ xijeKPO2sXxLGCxaCV2dHbX1xfMgDTDp7uRZAWE2gIlo3Ao6CJwTo3rKzugTOBKx Dhe1BlWebGVSi37EwvvvEDUbgacaAoggbckXTVAx/spzxKNN9I5Zx0NXVuFvZT/0 FRVoDTQzfdbNi7DOyU0cjMYPLwF56WE+ba4sETQIwyBSMHGbahJ+QKcVETRAaOrp +dUi+WqOBCu56CgrI/WxesCNYQ6DoeHkBu3YBViOZa4V37OVrBfdGLtqDExh6FG8 nzvxLW6iXHKLMRawnvvA4vtfL9rGLYr5vZHwvy6MOaEN9wrAW5m4t93eClUuBq+e avwx5hkZdbQ5EKrFkmsiEhdDVQ6NUKx3X90eqBuhPr2irjjru5HyuJIkR9Ds36tm ptqO78UAyTmAjkKkOGZWSJ6w1Tv1nnbzc8/CpykBkrac/LOaNFxl6z7eKdQMlZg6 5AMhf2W2WXfCjJI4M6jvGJKsE33zCAZN0anD84YlhwZQ1T6qg87P7Hor6g1ctUfk WKLUZFVBH+toNsRn/gNI/bQyi3fBCXE9yo+IU0JOM8qAuSkXwxTgiWsnHGOubJHu vJMDCIeZuEh0o6msA0bR9g4Q+KWS0ShcY95wtMipywRDfIB6VJ/hX9s8jdwnd0Nd vNF4E2DgtYA4cVks7YmM =diug -----END PGP SIGNATURE-----
--- End Message ---
