Hello all, > CVE-2023-40477 mentions to be in RAR4 recovery volume processing code, which > is recvol.cpp in the > unrar source. There was no 6.3 unrar source release yet...
WinRAR version number "6.23" is application version. Upstream says CVE-2023-40477 was fixed in WinRAR 6.23 beta 1. https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa Application version "6.23 beta 1" means source code version "6.2.9". So, CVE-2023-40477 was fixed in UnRAR 6.2.9 that already released. I was extracted 6.2.9 fix and apply it to Git for other UnRAR version that distributed in Debian 10,11,12. Please examine the fix from unrar-nonfree Git repository: [Debian 10] https://github.com/debian-calibre/unrar-nonfree/tree/buster-update => fix commit: https://github.com/debian-calibre/unrar-nonfree/commit/7b20ce008d0339316c56bb370063727acaf6c401 [Debian 11] https://github.com/debian-calibre/unrar-nonfree/tree/bullseye-update => fix commit: https://github.com/debian-calibre/unrar-nonfree/commit/e0e1632b924e3e466974fa97dc2ac95883784688 [Debian 12] https://github.com/debian-calibre/unrar-nonfree/tree/bookworm-update => fix commit: https://github.com/debian-calibre/unrar-nonfree/commit/a4dcd941aae01980c7b3a32c180bfd2e2a9de202 FYI: RAR application version can be taken from command line help message or "version.hpp" file in source code. You can examine application version numbers from Git commit history. https://github.com/debian-calibre/unrar-nonfree/commits/master/version.hpp -- YOKOTA Hiroshi
