Package: unrar Version: 1:3.7.2-1 Severity: critical Tags: security
>From CVE-2007-0855: "Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR and possibly other products, allows user-assisted remote attackers to execute arbitrary code via a crafted, password-protected archive." See [1] for details. On the day of the public release of the advisory, unrar 3.7.3 has been released, which implies that version 3.7.2 is vulnerable (there is no detailed changelog, however). A new rar version has also been released. Severity critical because rar or unrar is called by amavisd-new in its default configuration (with parameter -p- to suppress password input), which probably turns this issue into a remote arbitrary code execution vulnerability. [1] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=472 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
