-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0626
                        unrar-free security update
                             19 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           unrar-free
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service        -- Existing Account      
                   Access Confidential Data -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14122 CVE-2017-14121 CVE-2017-14120

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2021/02/msg00026.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running unrar-free check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2567-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
February 18, 2021                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : unrar-free
Version        : 1:0.0.1+cvs20140707-1+deb9u1
CVE ID         : CVE-2017-14120 CVE-2017-14121 CVE-2017-14122

Several issues have been found in unrar-free, an unarchiver for .rar files.

CVE-2017-14120

     This CVE is related to a directory traversal vulnerability for
     RAR v2 archives.

CVE-2017-14121

     This CVE  is related to NULL pointer dereference flaw triggered
     by a specially crafted RAR archive.

CVE-2017-14122

     This CVE is related to stack-based buffer over-read.


For Debian 9 stretch, these problems have been fixed in version
1:0.0.1+cvs20140707-1+deb9u1.

We recommend that you upgrade your unrar-free packages.

For the detailed security status of unrar-free please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unrar-free

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmAu8W1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfajRAAlqqeBbRkJrrwqECtHM5q8Czd1VtGlu8zPvhkTDi2+ECG3q3FZm9her07
4jB3H959TwGG4zlJWEMA3i+lFa6M3zJ4qwzB4lZfgH9O6r+VPItwStlT7E6Laysu
9vh9UaE3Wx7PZLg9We4MZt2Rr5kfVwPh33r3Dx22ONUzjXODV4DFshsEjHSOv5hV
jyLniYP+/FSvsf3YYxpdS9WIuSw7EQe0fXkwJv9zKbEstST53UX6Bz6Qs42QkCPP
G2WRavTt0Pgn095j7EK66+Q5x6dDEjxS3iFTArODm/1dm/QqrzKY7Hbb9+77YyWd
2Ey1xXt23YcrhBoLmaZeEn5wt/dDUTb4ps5M8rmbwn22uHqopHLqc3rk9TafU9ed
sihV5hf8eOV/XtmQnbtc72DRkWlGNPSm47b4v1DDoF5VpnPfeHngbC9M2HF7vmfY
CeQXspzaGlGrtUFWTkeeAYkYyPF2KwKTOtVjYAlJFXrr8R4INwHAR4ZIicDfwrRa
FTMhlj3asKVr6TepaKxjdmbzqJYvw67sihZxDSYwUBYJxlbWlPH+yXFDfKpefAa4
6bfjLLKEXDcNH8U3tIexYYAPrt5CMc18AHUwwzK+goqWPpx/ET24hWp27kfzPV46
cYQPLn/rxBDoN4lNxH98i6zIOO0T0SM+FLmj+0G8oNd+Kwebo4M=
=gS+I
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYC8/0ONLKJtyKPYoAQjN1Q/9F4yWk9ILc/uV0L7fWD45Kj2B5tFCu8UL
6E86c7hEaRiP1JllmtoDYPdngfscJ1HcOf5Rufhrn0pkQbzUwJaunNka8hhf8xfo
m+MD0Zv6WZkClMmLHMzeIm388OKqj8Ujavs3dFCAGoV+O7xMlhe0nlf3VmPYp2S0
lJ5uR0W1YakQJtrpJ2dfASWFaUgibN2tlTpIX2dGltMUAxiG3pWFZuFZZVEJ7Tdr
59NeDCCkTH7Ak8FVTuFmw21j+RbUqMtn4DMvMj4BRN4iOsAix4GQMq+F1svBcP+n
0QrWa8EeYSasU/IE5uNaPAugoyoUYyLuyJpYZW2gboMFr5iiOw4iIEmf024yEk7l
Yj8CNvHnazFhUflRM5Oo0sexaioatt4czOGBH7m5l13pw4ErCa4MDmVkU7oJwDTA
1FTvXD3TWp3FYGZLVqDwNT3gIjFCblOBKSdT9FWJYZjiOgqUq33SxvWRisYLO4x+
4HzcOzJNUjnMjDrybo+l+gi6mL3DpTMxQHPgq3yTdt9uJIgJ+UHPNpIIs6imslcO
WjWMfQVQ8Jw4iN9Ono7YTZkF7XBBmkaQDN8Zzw3EZo0d8+7Q0Q6YqZk0aaaMu160
Kfe3aBHPj6SJlsDMdpUG9gQeRnzc0GIfM7RQ9ajqYhpm6l5URTVWcbAR+dQ4yceu
2Ew5KriZmNc=
=Xw/f
-----END PGP SIGNATURE-----