Is TC subject to this RAR vulnerability?

[brahman]

Hello,
a RAR vulnerability has just been published and fixed a few days ago.

Even opening (not even unpacking) an infected file can trigger this vulnerability.

Is TC11 subject to this vulnerability?

https://www.zerodayinitiative.com/advisories/ZDI-23-1152

[white]

See Rar Sicherheitsproblem - neue unrar.dll?

[ghisler(Author)]

No one knows whether unrar.dll is affected too, or just winrar itself. But since I'm currently preparing the relase of TC 11.01 anyway, I will include the new unrar dlls with it.

If you can't update or don't want to update, you can use the new dlls from rarlab:
https://www.rarlab.com/rar_add.htm (click on UnRAR.dll)

[brahman]

Thank you very much for your advice.

I have already replaced the rar and unrar exes on all my other utilities.

Now that you gave me the link, I can also replace the dlls. There are quite a few on my computer.

[ghisler(Author)]

I have also put the 2 DLLs plus the one I compiled myself for Windows 9x/ME in a separate ZIP installer:
https://www.ghisler.com/unrardll.htm
Just download the ZIP and double click on it in Total Commander to install the new DLLs.

[norfie²]

the original unrar.dll and unrar64.dll libraries provided on our site are not vulnerable

Link

[petermad]

FYI:

21.08.23 Release Total Commander 11.01 release candidate 1
.
.
20.08.23 Fixed: Updated unrar.dll, unrar64.dll and unrar9x.dll (compiled by us for Windows 9x/ME) to latest version 6.23.0 to fix security hole (32/64)

[ghisler(Author)]

Thanks for the info, so the DLLs are not affected. The DLL sources include the files recvol3.cpp und recvol5.cpp, so I assumed that the DLL would also be affected by the security issue in the recovery volume functions.

This gives me a bit more time to release TC 11.01 with less haste.