Mageia alert MGASA-2017-0302 (unrar)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2017-0302: Updated unrar packages fix security vulnerabilities 
Date:
    	     
 
Thu, 24 Aug 2017 23:19:03 +0200
Message-ID:
    	     
 
<20170824211903.146859F872@duvel.mageia.org>
MGASA-2017-0302 - Updated unrar packages fix security vulnerabilities

Publication date: 24 Aug 2017
URL: http://advisories.mageia.org/MGASA-2017-0302.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2012-6706,
     CVE-2017-12938,
     CVE-2017-12940,
     CVE-2017-12941,
     CVE-2017-12942

Description:
VMSF_DELTA memory corruption (CVE-2012-6706).

Directory traversal issue in UnRAR before 5.5.7 (CVE-2017-12938).

libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
EncodeFileName::Decode call within the Archive::ReadHeader15 function
(CVE-2017-12940).

libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the
Unpack::Unpack20 function (CVE-2017-12941).

libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the
Unpack::LongLZ function (CVE-2017-12942).

References:
- https://bugs.mageia.org/show_bug.cgi?id=21134
- https://lists.opensuse.org/opensuse-updates/2017-06/msg00...
- http://openwall.com/lists/oss-security/2017/08/18/2
- http://openwall.com/lists/oss-security/2017/08/18/6
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6706
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12938
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12940
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12941
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12942

SRPMS:
- 5/nonfree/unrar-5.50-1.mga5.nonfree