Security update for unrar

SUSE Security Update: Security update for unrar
Announcement ID: SUSE-SU-2018:0862-1
Rating: moderate
References: #1046882 #1054038 #513804 #693890
Affected Products:
  • SUSE Linux Enterprise Server 11-SP4
  • SUSE Linux Enterprise Debuginfo 11-SP4

  • An update that fixes 5 vulnerabilities is now available.


    This update for unrar to version 5.6.1 fixes several issues.

    These security issues were fixed:

    - CVE-2017-12938: Prevent remote attackers to bypass a directory-traversal
    protection mechanism via vectors involving a symlink to the . directory,
    a symlink to the .. directory, and a regular file (bsc#1054038).
    - CVE-2017-12940: Prevent out-of-bounds read in the EncodeFileName::Decode
    call within the Archive::ReadHeader15 function (bsc#1054038).
    - CVE-2017-12941: Prevent an out-of-bounds read in the Unpack::Unpack20
    function (bsc#1054038).
    - CVE-2017-12942: Prevent a buffer overflow in the Unpack::LongLZ function

    These non-security issues were fixed:

    - Added extraction support for .LZ archives created by Lzip compressor
    - Enable unpacking of files in ZIP archives compressed with XZ algorithm
    and encrypted with AES
    - Added support for PAX extended headers inside of TAR archive
    - If RAR recovery volumes (.rev files) are present in the same folder as
    usual RAR volumes, archive test command verifies .rev contents after
    completing testing .rar files
    - By default unrar skips symbolic links with absolute paths in link target
    when extracting unless -ola command line switch is specified
    - Added support for AES-NI CPU instructions
    - Support for a new RAR 5.0 archiving format
    - Wildcard exclusion mask for folders
    - Added libunrar* and libunrar*-devel subpackages (bsc#513804)
    - Prevent conditional jumps depending on uninitialised values (bsc#1046882)

    Patch Instructions:

    To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11-SP4:
      zypper in -t patch slessp4-unrar-13542=1
    • SUSE Linux Enterprise Debuginfo 11-SP4:
      zypper in -t patch dbgsp4-unrar-13542=1

    Package List:

    • SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • unrar-5.6.1-5.3.1
    • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • unrar-debuginfo-5.6.1-5.3.1
      • unrar-debugsource-5.6.1-5.3.1