Fluid Attacks Database

Description

Integer signedness error in the SET_VALUE function in rarvm.cpp in unrar 3.70 beta 3, as used in products including WinRAR and RAR for OS X, allows user-assisted remote attackers to cause a denial of service (crash) via a crafted RAR archive that causes a negative signed number to be cast to a large unsigned number.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	unrar-nonfree	=3.3.6-2 \|\| =3.3.6-2.0.1 \|\| =3.4.3-1 \|\| >=0 <3.7.3-1.1	3.7.3-1.1
debian 11	unrar-nonfree	=3.3.6-2 \|\| =3.3.6-2.0.1 \|\| =3.4.3-1 \|\| >=0 <3.7.3-1.1	3.7.3-1.1
debian 12	unrar-nonfree	=3.3.6-2 \|\| =3.3.6-2.0.1 \|\| =3.4.3-1 \|\| >=0 <3.7.3-1.1	3.7.3-1.1
debian 12	rar	=1:3.5.1-1 \|\| =1:3.6.0-1 \|\| =2.02-2 \|\| =2.60-1 \|\| =2.80-2 \|\| =3.30-2 \|\| >=0 <1:3.7b1-1	1:3.7b1-1
debian 14	rar	=1:3.5.1-1 \|\| =1:3.6.0-1 \|\| =2.02-2 \|\| =2.60-1 \|\| =2.80-2 \|\| =3.30-2 \|\| >=0 <1:3.7b1-1	1:3.7b1-1
debian 11	rar	=1:3.5.1-1 \|\| =1:3.6.0-1 \|\| =2.02-2 \|\| =2.60-1 \|\| =2.80-2 \|\| =3.30-2 \|\| >=0 <1:3.7b1-1	1:3.7b1-1
debian 13	unrar-nonfree	=3.3.6-2 \|\| =3.3.6-2.0.1 \|\| =3.4.3-1 \|\| >=0 <3.7.3-1.1	3.7.3-1.1
debian 13	rar	=1:3.5.1-1 \|\| =1:3.6.0-1 \|\| =2.02-2 \|\| =2.60-1 \|\| =2.80-2 \|\| =3.30-2 \|\| >=0 <1:3.7b1-1	1:3.7b1-1

Aliases

1. CVE-2007-37262. NVD-2007-37263. OSV-DEBIAN-2007-37264. OSV-2007-37265. SECURITY-TRACKER-CVE-2007-3726

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.