[Pkg-clamav-devel] Bug#770647: double free in libclamunrar_iface + memory leak in read_block()
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Sat Nov 22 21:53:50 UTC 2014
Package: libclamunrar
Version: 0.96.4-1
Severity: serious
Tags: security pending
The debian security tracker references a problem ("clamav: double-free
error libclamunrar_iface/unrar_iface.c") which it learned from
http://www.openwall.com/lists/oss-security/2013/11/29/6
This got marked as fixed in Debian because the Clamav version we use a
high enough version. However the file / part of code is not used from
the clamav package but from the libclamunrar package instead. It is
split into another package due to the non-free license of the unrar code.
To double check, the report mentions the file unrar_iface.c. If you
check the buildlog of the clamav package you won't find it together with
gcc. If you check libclamunrar's buildlog then you will see it. Also if
you check libclamunrar_iface.so.6.1.20 you will find the function named
libclamunrar_iface_LTX_unrar_extract_next_prepare which is part of the
libclamunrar package.
To conclude: this problem as such is still not fixed in Wheezy.
The only clamunrar related change between 0.98.1-1 and 0.98.5-1 is a
memory leak fix in read_block(). For that reason and to keep it in sync
with the clamav package I would prefer to have the 0.98.5 version in Wheezy.
Sebastian
More information about the Pkg-clamav-devel
mailing list