Hi, Regarding CVE-2017-12941 and CVE-2017-12942, unrar-5.5.6 is affected. There is a fixed version of unrar-5.5.7. I am asking:
[1] are the CVEs known to affect any versions of clamav, if so which versions are not affected? [2] These are the vulnerable code examples: #Vulnerable unrar function (CVE-2017-12941) int DistNumber=DecodeNumber(Inp,&BlockTables.DD); unsigned int Distance=DDecode[DistNumber]+1; # Vulnerable unpack longlz (CVE-2017-12942) //ChSetB[DistancePlace]=ChSetB[NewDistancePlace]; -------------------------------------------------- I found this in clamav 0.100.0: ## ClamAV code: unpack20.c //int rar_unpack20(int fd, int solid, unpack_data_t *unpack_data) { ... unsigned int bits, distance; dist_number = rar_decode_number(unpack_data, (struct Decode *)&unpack_data->DD); distance = ddecode[dist_number] + 1 #ClamAV unpack longlz //static void long_lz(unpack_data_t *unpack_data) unpack_data->chsetb[distance_place & 0xff] chsetb[new_distance_place & 0xff] = distance; chsetb[distance_place & 0xff] = unpack_data->chsetb[new_distance_place & 0xff]; it isn't clear to me (as I cannot read C code very well) if these are indeed affected by the CVEs mentioned above. Any one able to clarify? [3] Any commits one can point me to for varification of changes if any? Thank you and apologies if this is old or redundant news already resolved. Referece: http://seclists.org/oss-sec/2017/q3/290 domhnall _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml