Overview

File _patchinfo of Package patchinfo.6946

<patchinfo incident="6946">
  <issue id="1046882" tracker="bnc">Unrar shows many "Conditional jump or move depends on uninitialised value"  warning with valgrind.</issue>
  <issue id="1054038" tracker="bnc">VUL-0: CVE-2017-12938: unrar: 4 bugs in unrar</issue>
  <issue id="1187974" tracker="bnc">fixes heap-based buffer overflow in Unpack:CopyString</issue>
  <issue id="2017-12938" tracker="cve" />
  <issue id="2017-12941" tracker="cve" />
  <issue id="2017-12940" tracker="cve" />
  <issue id="2012-6706" tracker="cve" />
  <issue id="2017-12942" tracker="cve" />
  <issue id="2017-20006" tracker="cve" />
  <issue tracker="jsc" id="SLE-20843"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>kstreitova</packager>
  <description>This update for unrar to version 5.6.1 fixes several issues.

These security issues were fixed:

- CVE-2017-12938: Prevent remote attackers to bypass a directory-traversal
  protection mechanism via vectors involving a symlink to the . directory, a
  symlink to the .. directory, and a regular file (bsc#1054038).
- CVE-2017-12940: Prevent out-of-bounds read in the EncodeFileName::Decode call
  within the Archive::ReadHeader15 function (bsc#1054038).
- CVE-2017-12941: Prevent an out-of-bounds read in the Unpack::Unpack20
  function (bsc#1054038).
- CVE-2017-12942: Prevent a buffer overflow in the Unpack::LongLZ function
  (bsc#1054038).
- CVE-2017-20006: Fixed heap-based buffer overflow in Unpack:CopyString (bsc#1187974).

These non-security issues were fixed:

- Added extraction support for .LZ archives created by Lzip compressor
- Enable unpacking of files in ZIP archives compressed with XZ algorithm and
  encrypted with AES
- Added support for PAX extended headers inside of TAR archive
- If RAR recovery volumes (.rev files) are present in the same folder as usual
  RAR volumes, archive test command verifies .rev contents after completing
  testing .rar files
- By default unrar skips symbolic links with absolute paths in link target when
  extracting unless -ola command line switch is specified
- Added support for AES-NI CPU instructions
- Support for a new RAR 5.0 archiving format
- Wildcard exclusion mask for folders
- Prevent conditional jumps depending on uninitialised values (bsc#1046882)
</description>
  <summary>Security update for unrar</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places