Kees, for "rar" this is true, however, it needs a small modification to use the statically linked binary (as we found out in debian!) the package rar-3.7b1-2 in debian has the neccessary changes.
Regarding unrar - it's the above patch (http://librarian.launchpad.net/6412402/fix_cve_3.5.4_clean) that needs to be applied to dapper and edgy. I've got a breezy patch in the works -- Security update for rar/unrar (CVE-2007-0855) https://launchpad.net/bugs/84657 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs