Your message dated Sun, 23 Nov 2014 05:18:46 +0000
with message-id <e1xspzo-000390...@franck.debian.org>
and subject line Bug#770647: fixed in libclamunrar 0.98.5-1
has caused the Debian Bug report #770647,
regarding double free in libclamunrar_iface + memory leak in read_block()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
770647: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770647
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libclamunrar
Version: 0.96.4-1
Severity: serious
Tags: security pending
The debian security tracker references a problem ("clamav: double-free
error libclamunrar_iface/unrar_iface.c") which it learned from
http://www.openwall.com/lists/oss-security/2013/11/29/6
This got marked as fixed in Debian because the Clamav version we use a
high enough version. However the file / part of code is not used from
the clamav package but from the libclamunrar package instead. It is
split into another package due to the non-free license of the unrar code.
To double check, the report mentions the file unrar_iface.c. If you
check the buildlog of the clamav package you won't find it together with
gcc. If you check libclamunrar's buildlog then you will see it. Also if
you check libclamunrar_iface.so.6.1.20 you will find the function named
libclamunrar_iface_LTX_unrar_extract_next_prepare which is part of the
libclamunrar package.
To conclude: this problem as such is still not fixed in Wheezy.
The only clamunrar related change between 0.98.1-1 and 0.98.5-1 is a
memory leak fix in read_block(). For that reason and to keep it in sync
with the clamav package I would prefer to have the 0.98.5 version in Wheezy.
Sebastian
--- End Message ---
--- Begin Message ---
Source: libclamunrar
Source-Version: 0.98.5-1
We believe that the bug you reported is fixed in the latest version of
libclamunrar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated
libclamunrar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 22 Nov 2014 22:25:35 +0100
Source: libclamunrar
Binary: libclamunrar6
Architecture: source i386
Version: 0.98.5-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Description:
libclamunrar6 - anti-virus utility for Unix - unrar support
Closes: 770647
Changes:
libclamunrar (0.98.5-1) unstable; urgency=medium
.
[ Sebastian Andrzej Siewior ]
* Update to new upstream version.
- Finaly address "double-free error exists within the
unrar_extract_next_prepare()" (Closes: #770647)
* Drop automake workaround, the bug was fixed.
* Fix LFS support using the same approach as clamav for compatibility and
correctness
.
[ Scott Kitterman ]
* Add build-dep on libssl-dev, needed for configure even if not used
in libclamunrar
* Update debian/copyright to add openssl exception per COPYING
Checksums-Sha1:
e838e38e561a3138ab232591247d37cb1b81f1c6 2124 libclamunrar_0.98.5-1.dsc
6d4a3441e142002ffdaa76ad313bc018985e1999 304828 libclamunrar_0.98.5.orig.tar.xz
66ac3c83ff3fe33d471862f399f5d1e96c09d749 4676
libclamunrar_0.98.5-1.debian.tar.xz
451fd25e0b73e90d002b61b1fbd02f698379217d 33906 libclamunrar6_0.98.5-1_i386.deb
Checksums-Sha256:
2bc9a40a08dcad1c2a45964165cf4d41685d89fba817836a0eb0750a483eb595 2124
libclamunrar_0.98.5-1.dsc
3d957d584bee260f11c7b5b211899c4cacfffffc3849b1d0485b3f21eb2d4aac 304828
libclamunrar_0.98.5.orig.tar.xz
ad8fe1d1b895d2779ce0be4c469d971ec66fce0876ccad31a8a13af44cd01553 4676
libclamunrar_0.98.5-1.debian.tar.xz
7c8641cb9bb064fea19e59a5a3dd68a1ead0a1c013d18d020c3a8eb3ca91b326 33906
libclamunrar6_0.98.5-1_i386.deb
Files:
f9df12c8f3adf55a228da6b856d13c28 2124 non-free/libs extra
libclamunrar_0.98.5-1.dsc
ecd3acdec22118338d3d5fbe41fba011 304828 non-free/libs extra
libclamunrar_0.98.5.orig.tar.xz
82f622806aff1d1b07d02afd7be9fad0 4676 non-free/libs extra
libclamunrar_0.98.5-1.debian.tar.xz
7ecd162969323c59d7bde3b9ee374b5b 33906 non-free/libs extra
libclamunrar6_0.98.5-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUcWpgAAoJEHjX3vua1ZrxSWMP/01KEQNvvRajIMuAYf7AEcvQ
xijeKPO2sXxLGCxaCV2dHbX1xfMgDTDp7uRZAWE2gIlo3Ao6CJwTo3rKzugTOBKx
Dhe1BlWebGVSi37EwvvvEDUbgacaAoggbckXTVAx/spzxKNN9I5Zx0NXVuFvZT/0
FRVoDTQzfdbNi7DOyU0cjMYPLwF56WE+ba4sETQIwyBSMHGbahJ+QKcVETRAaOrp
+dUi+WqOBCu56CgrI/WxesCNYQ6DoeHkBu3YBViOZa4V37OVrBfdGLtqDExh6FG8
nzvxLW6iXHKLMRawnvvA4vtfL9rGLYr5vZHwvy6MOaEN9wrAW5m4t93eClUuBq+e
avwx5hkZdbQ5EKrFkmsiEhdDVQ6NUKx3X90eqBuhPr2irjjru5HyuJIkR9Ds36tm
ptqO78UAyTmAjkKkOGZWSJ6w1Tv1nnbzc8/CpykBkrac/LOaNFxl6z7eKdQMlZg6
5AMhf2W2WXfCjJI4M6jvGJKsE33zCAZN0anD84YlhwZQ1T6qg87P7Hor6g1ctUfk
WKLUZFVBH+toNsRn/gNI/bQyi3fBCXE9yo+IU0JOM8qAuSkXwxTgiWsnHGOubJHu
vJMDCIeZuEh0o6msA0bR9g4Q+KWS0ShcY95wtMipywRDfIB6VJ/hX9s8jdwnd0Nd
vNF4E2DgtYA4cVks7YmM
=diug
-----END PGP SIGNATURE-----
--- End Message ---
