Security update for rar/unrar (CVE-2007-0855)

Attached is patch for 3.5.4 (edgy and dapper)

as rar is also affected, but binary only - what is the procedure for updating dapper and edgy (and possibly breezy too as thats still not OBSOLETE)

Patch for breezy unrar-nonfreee

Seem the multi-byte actions should only happen if the entire range passes IS_VM_MEM()? Instead of:

+ if (IS_VM_MEM(Addr))
+ {
+ ((byte *)Addr)[0]=(byte)Value;
+ ((byte *)Addr)[1]=(byte)(Value>>8);
+ ((byte *)Addr)[2]=(byte)(Value>>16);
+ ((byte *)Addr)[3]=(byte)(Value>>24);

Does this make more sense:

+ if (IS_VM_MEM(Addr) &&
+ IS_VM_MEM(&((byte*)Addr[3]))
+ {
+ ((byte *)Addr)[0]=(byte)Value;
+ ((byte *)Addr)[1]=(byte)(Value>>8);
+ ((byte *)Addr)[2]=(byte)(Value>>16);
+ ((byte *)Addr)[3]=(byte)(Value>>24);

Quote from email

All these changes in rarvm.cpp code are related to endianness issue
on big endian computers. So users may notice these fixes only on big
endian machine.

Besides, I forgot to mention that real vulnerability was fixed
in GetPassword function in consio.cpp. So if you use 3.6.x version
of this function, please upgrade it to 3.7.3 code.

So, it seems that the real issue is in consio.cpp and wasnt in 3.7.2 ...

Patch attached for 3.5.4

unrar-nonfree 3.7.3 approved for backporting to edgy (This is to replace the currently backported version of unrar-nonfree, which includes the security issue, not to work as a security fix (this will be done in the usual process)

rar 1:3.7b1-0ubuntu11 (typo on upload for XubuntuY!) approved for backporting to edgy (This is to replace the currently backported version of rar, which includes the security issue, not to work as a security fix)

Clean patch for 3.5.4 (as advised by debian Security team)

Hi! Thanks for getting this collected. So as I understand it, for breezy, dapper, edgy, this binary blob package needs to just be put into the archives, is that correct? Have you tested it for those architectures?

Kees, for "rar" this is true, however, it needs a small modification to use the statically linked binary (as we found out in debian!) the package rar-3.7b1-2 in debian has the neccessary changes.

Regarding unrar - it's the above patch (http://librarian.launchpad.net/6412402/fix_cve_3.5.4_clean) that needs to be applied to dapper and edgy. I've got a breezy patch in the works

For unrar-nonfree, the patches don't apply to earlier versions. :(

 consio.cpp: In function 'void GetPasswordText(char*, int)':
 consio.cpp:125: error: 'strncpyz' was not declared in this scope
 consio.cpp: In function 'bool GetPassword(PASSWORD_TYPE, const char*, char*, int)':
 consio.cpp:171: error: 'ASIZE' was not declared in this scope

For the rar package, it looks like a good bit of time will be needed to do all the orig.tar.gz's, etc. At the moment, I don't have time to get these sorted out. If someone can generate (tested) debdiffs for each of the stable releases, I can get them uploaded.

Yeah, I just realised about the patch myself... need to pull in changes
in rardefs.hpp and strfn.{cpp,hpp} too

On Thu, 2007-02-15 at 18:51 +0000, Kees Cook wrote:
> For unrar-nonfree, the patches don't apply to earlier versions. :(
>
> consio.cpp: In function 'void GetPasswordText(char*, int)':
> consio.cpp:125: error: 'strncpyz' was not declared in this scope
> consio.cpp: In function 'bool GetPassword(PASSWORD_TYPE, const char*, char*, int)':
> consio.cpp:171: error: 'ASIZE' was not declared in this scope
>
> For the rar package, it looks like a good bit of time will be needed to
> do all the orig.tar.gz's, etc. At the moment, I don't have time to get
> these sorted out. If someone can generate (tested) debdiffs for each of
> the stable releases, I can get them uploaded.
>
>
> ** Changed in: rar (Ubuntu Breezy)
> Status: Unconfirmed => Confirmed
>
> ** Changed in: rar (Ubuntu Dapper)
> Status: Unconfirmed => Confirmed
>
> ** Changed in: rar (Ubuntu Edgy)
> Status: Unconfirmed => Confirmed
>
> ** Changed in: unrar-nonfree (Ubuntu Feisty)
> Assignee: (unassigned) => Martin Meredith
> Status: Fix Committed => Fix Released
>
> ** Changed in: rar (Ubuntu Feisty)
> Assignee: (unassigned) => Martin Meredith
>
> ** Changed in: unrar-nonfree (Ubuntu Breezy)
> Status: Unconfirmed => Confirmed
>
> ** Changed in: unrar-nonfree (Ubuntu Dapper)
> Status: Unconfirmed => Fix Released
>
> ** Changed in: unrar-nonfree (Ubuntu Dapper)
> Status: Fix Released => Confirmed
>
> ** Changed in: unrar-nonfree (Ubuntu Edgy)
> Status: Unconfirmed => Confirmed
>

 * Trying to backport unrar-nonfree...
  - <unrar-nonfree_3.7.3.orig.tar.gz: downloading from librarian>
  - <unrar-nonfree_3.7.3-1.diff.gz: downloading from librarian>
  - <unrar-nonfree_3.7.3-1.dsc: downloading from librarian>
I: Extracting unrar-nonfree_3.7.3-1.dsc ... done.
I: Building backport of unrar-nonfree-3.7.3 as 1:3.7.3-1~edgy1 ... done.

Breezy support is over.. Today it's Breezy End Of Life!

Edgy is EOL.

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.