Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-1014-1 libclamunrar

Debian Security Advisory

DLA-1014-1 libclamunrar -- LTS security update

Date Reported:

05 Jul 2017

Affected Packages:

libclamunrar

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2017-7520.

More information:

It was discovered that there was an arbitrary code execution vulnerability in libcamunrar, a library to add unrar support to the Clam anti-virus software.

This was caused by an integer overflow resulting in a negative value of the ``DestPos`` variable, which allows the attacker to write out of bounds when setting ``Mem[DestPos]``.

For Debian 7 Wheezy, this issue has been fixed in libclamunrar version 0.99-0+deb7u2.

We recommend that you upgrade your libclamunrar packages.