Hot on the heels of CVE-2023-20197, ClamAV have announced another security issue, as a result of the RaR issue CVE-2023-40477:
https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html This probably comes under libclamunrar rather than clamav, since it affects the non-free unrar package bundled by ClamAV but unbundled by Debian. I am afraid I have not been able to build any of the recent versions of clamav (I am on Ubuntu which probably does not help) and cannot confirm whether or not the fixed unrar-nonfree package for sid/CVE-2023-40477 is sufficient. -- Andrew C. Aitchison Kendal, UK [email protected]
