archivers/unrar: update to 7.23
Security fixes:
* heap overflow when reconstructing data from RAR5 recovery volumes
* a specially crafted RAR archive could create a symbolic link pointing
outside of the intended destination folder during extraction
Make concurrent sys_msgrcv() wait until we finish message delivery. We
left acquired message in the queue while we are sleeping in msg_copyout().
Concurrent sys_msgrcv() could acquire and delete this message.
Reported-by: syzbot+c80235d951da9769a00f at syzkaller.appspotmail.com
Deduplicate skiplist, shortlist, and NCA retry handling
Introduce helpers functions for manipulating lists of strings, such as
the FQDNs in skiplist & shortlist, and rpkiNotify URLs used for batching
NCA retries.
OK tb@
Restore msgrcv(2) MSG_NOERROR/E2BIG error path. Silently truncate
message is not a good idea.
msgrcv(2) man page has E2BIG error description, no need for update.
ok millert
archivers/unrar: update to 7.23
Security fixes:
* heap overflow when reconstructing data from RAR5 recovery volumes
* a specially crafted RAR archive could create a symbolic link pointing
outside of the intended destination folder during extraction
Don't remove other elements in a RB_FOREACH_SAFE walk since that is not safe.
repo_move_valid() walks the tree with RB_FOREACH_SAFE() but it also calls
RB_REMOVE() via filepath_put() on an other element in a case where a
conflict is resolved. This results in a use-after-free if that element is
the next one in the tree (nfp). Instead of removing the present
conflicting node (ofp), replace the contents of it, free fp and swap fp
with ofp.
With and OK tb@