Hi Bastian, On Fri, Aug 25, 2023 at 10:53:24AM +0200, Bastian Germann wrote: > Am 25.08.23 um 09:49 schrieb Salvatore Bonaccorso: > > Hi Chris, > > > > On Thu, Aug 24, 2023 at 04:02:22PM +0200, Christoph Anton Mitterer wrote: > > > Hey. > > > > > > Unrar data in the security tracker seems to miss: > > > > > > CVE-2023-40477 https://www.zerodayinitiative.com/advisories/ZDI-23-1152/ > > > CVE-2023-38831 > > > https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ > > > > > > > > > AFAIU, at least the first one is already fixed in Debian (not sure > > > about the 2nd). > > > > I'm not sure if those are WinRAR specific or apply as well to src:rar > > and src:unrar-nonfree. > > CVE-2023-40477 mentions to be in RAR4 recovery volume processing code, which > is recvol.cpp in the unrar source. There was no 6.3 unrar source release > yet... > > I guess CVE-2023-38831 is only in WinRAR as that is about hiding file > extensions and even if the unix version was affected it would not make much > noise with .exe not being executable by name.
Thanks, I have marked the latter for now as WinRAR specific. Regards, Salvatore
