Your message dated Mon, 12 Feb 2007 04:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#410582: fixed in rar 1:3.7b1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: unrar
Version: 1:3.7.2-1
Severity: critical
Tags: security
>From CVE-2007-0855:
"Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR and
possibly other products, allows user-assisted remote attackers to execute
arbitrary code via a crafted, password-protected archive."
See [1] for details. On the day of the public release of the advisory, unrar
3.7.3 has been released, which implies that version 3.7.2 is vulnerable (there
is no detailed changelog, however).
A new rar version has also been released.
Severity critical because rar or unrar is called by amavisd-new in its default
configuration (with parameter -p- to suppress password input), which probably
turns this issue into a remote arbitrary code execution vulnerability.
[1]
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=472
--- End Message ---
--- Begin Message ---
Source: rar
Source-Version: 1:3.7b1-1
We believe that the bug you reported is fixed in the latest version of
rar, which is due to be installed in the Debian FTP archive:
rar_3.7b1-1.diff.gz
to pool/non-free/r/rar/rar_3.7b1-1.diff.gz
rar_3.7b1-1.dsc
to pool/non-free/r/rar/rar_3.7b1-1.dsc
rar_3.7b1-1_amd64.deb
to pool/non-free/r/rar/rar_3.7b1-1_amd64.deb
rar_3.7b1-1_i386.deb
to pool/non-free/r/rar/rar_3.7b1-1_i386.deb
rar_3.7b1.orig.tar.gz
to pool/non-free/r/rar/rar_3.7b1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Meredith <[EMAIL PROTECTED]> (supplier of updated rar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Feb 2007 02:59:57 +0000
Source: rar
Binary: rar
Architecture: amd64 i386 source
Version: 1:3.7b1-1
Distribution: unstable
Urgency: high
Maintainer: Martin Meredith <[EMAIL PROTECTED]>
Changed-By: Martin Meredith <[EMAIL PROTECTED]>
Description:
rar - Archiver for .rar files
Closes: 410582
Changes:
rar (1:3.7b1-1) unstable; urgency=high
.
* New upstream release (Closes: #410582)
Files:
422ab98779a8bc3e46daba15e97c8f5f 267472 non-free/utils optional
rar_3.7b1-1_i386.deb
92df6d36aa97d48150fe7ad661a69e52 267248 non-free/utils optional
rar_3.7b1-1_amd64.deb
e3513d790d0e590175467d2a35929522 7791 non-free/utils optional
rar_3.7b1-1.diff.gz
5a814f0e746c8568fe311c5d84adabb1 568 non-free/utils optional rar_3.7b1-1.dsc
f9313410e1f9d223c40e75d7207c6f0a 769033 non-free/utils optional
rar_3.7b1.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFz+ZYAQwuptkwlkQRAi1aAJ9tkW/TGv6sngcQvocOIDlISg301ACdEsv8
Ip3ahR9k3YqoCbhrHr3aFZQ=
=6NN+
-----END PGP SIGNATURE-----
--- End Message ---
