CVE-2023-40477

Name	CVE-2023-40477
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3542-1, DLA-3543-1, DLA-3653-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libclamunrar (PTS)	buster/non-free	0.102.3-0+deb10u1	vulnerable
	buster/non-free (security)	0.103.10-0+deb10u1	fixed
	bullseye/non-free	0.103.10-1~deb11u1	fixed
	bookworm/non-free	1.0.3-1~deb12u1	fixed
	sid/non-free, trixie/non-free	1.0.3-1	fixed
rar (PTS)	buster/non-free	2:5.5.0-1	vulnerable
	buster/non-free (security)	2:6.23-1~deb10u1	fixed
	bullseye/non-free	2:6.23-1~deb11u1	fixed
	bookworm/non-free	2:6.23-1~deb12u1	fixed
	sid/non-free, trixie/non-free	2:6.23-1	fixed
unrar-nonfree (PTS)	buster/non-free	1:5.6.6-1+deb10u1	vulnerable
	buster/non-free (security)	1:5.6.6-1+deb10u4	fixed
	bullseye/non-free	1:6.0.3-1+deb11u3	fixed
	bookworm/non-free	1:6.2.6-1+deb12u1	fixed
	sid/non-free, trixie/non-free	1:7.0.4-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
libclamunrar	source	buster	0.103.10-0+deb10u1	DLA-3653-1
libclamunrar	source	bullseye	0.103.10-1~deb11u1
libclamunrar	source	bookworm	1.0.3-1~deb12u1
libclamunrar	source	(unstable)	1.0.3-1
rar	source	buster	2:6.23-1~deb10u1	DLA-3543-1
rar	source	bullseye	2:6.23-1~deb11u1
rar	source	bookworm	2:6.23-1~deb12u1
rar	source	(unstable)	2:6.23-1
unrar-nonfree	source	buster	1:5.6.6-1+deb10u4	DLA-3542-1
unrar-nonfree	source	bullseye	1:6.0.3-1+deb11u3
unrar-nonfree	source	bookworm	1:6.2.6-1+deb12u1
unrar-nonfree	source	(unstable)	1:6.2.10-1

Notes

https://www.zerodayinitiative.com/advisories/ZDI-23-1152/
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html