An integer overflow in RAR and UnRAR might allow remote attackers to execute arbitrary code.
|Package||app-arch/rar on all architectures|
|Affected versions||< 5.5.0_beta4_p20170628|
|Unaffected versions||>= 5.5.0_beta4_p20170628|
|Package||app-arch/unrar on all architectures|
|Affected versions||< 5.5.5|
|Unaffected versions||>= 5.5.5|
RAR and UnRAR provide command line interfaces for compressing and decompressing RAR files.
A VMSF_DELTA memory corruption was discovered in which an integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the “DestPos” variable which allows writing out of bounds when setting Mem[DestPos].
A remote attacker, by enticing a user to open a specially crafted archive, could execute arbitrary code with the privileges of the process.
There is no known workaround at this time.
All RAR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/rar-5.5.0_beta4_p20170628"
All UnRAR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/unrar-5.5.5"