In issue 810 we pointed out to Symantec that they hadn't updated their unrar based unpacker for years, and it was vulnerable to dozens of publicly documented flaws.
I had expected Symantec to rebase on 5.4.2 (the latest version as of this writing), but they appear to have just backported fixes for the few issues I sent them.
Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh.
As in issue 810 , these are remote code execution vulnerabilities at the highest possible privilege level.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
|
rar-standard-filter-oob-write.zip
1.1 MB
Download
|
Status: Fixed