update unrar ASAP

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

update unrar ASAP

Post by andras0602 »

Dear Team and fellow Zimbra admins,

I just came across with this nice article: https://blog.sonarsource.com/zimbra-pre ... nrar-0day/
If you also have unrar installed on any of your servers I highly recommend to remove it or update as soon as possible!

I couldn't get the latest from any of my repos, so the simplest (but not so nice) solution was to download the latest tarball which contains the patched unrar binary and replaced it like:

Code: Select all

curl -O https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz
echo '65a1a7e4ecea5730e88c99fc6d3adb461d70bd85cced22bdd6397dea66cd01e0  rarlinux-x64-612.tar.gz' | sha256sum -c - \
&& tar xf rarlinux-x64-612.tar.gz rar/unrar
mv rar/unrar /usr/bin/unrar-nonfree
Here are the VirusTotal scan results for the mentioned tarball: https://www.virustotal.com/gui/file/65a ... ea66cd01e0

Any opinions are welcomed.
Regards,
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: update unrar ASAP

Post by barrydegraaff »

Hello,

Zimbra has made configuration changes to use the 7zip package instead of unrar. Customers are requested to remove the unrar package (if installed) and use 7zip instead.

This is noted in the release notes for 9.0.0 GA Release Kepler Patch 25 and 8.8.15 GA Release (LTS Release) Joule Patch 32

https://wiki.zimbra.com/wiki/Zimbra_Releases
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

Re: update unrar ASAP

Post by andras0602 »

barrydegraaff wrote:Hello,

Zimbra has made configuration changes to use the 7zip package instead of unrar. Customers are requested to remove the unrar package (if installed) and use 7zip instead.

This is noted in the release notes for 9.0.0 GA Release Kepler Patch 25 and 8.8.15 GA Release (LTS Release) Joule Patch 32

https://wiki.zimbra.com/wiki/Zimbra_Releases
Many thanks! You are absolutely right. Unfortunately I wasn't brave enough (yet) to apply this patch. Do you think Patch 32 is fine now?
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: update unrar ASAP

Post by barrydegraaff »

yes but always try in a test environment first :-)
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

Re: update unrar ASAP

Post by andras0602 »

"Everybody has a testing environment. Some people are lucky enough enough to have a totally separate environment to run production in." https://twitter.com/stahnma/status/634849376343429120
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: update unrar ASAP

Post by ghen »

It's easy enough to apply this config change directly: https://github.com/Zimbra/zm-amavis/pull/4/files
Ardrad
Posts: 4
Joined: Thu Jun 30, 2022 11:16 am

Re: update unrar ASAP

Post by Ardrad »

Can anyone confirm my understanding that this only affects unrar-nonfree while unrar-free is unaffected on debian based distros?
Thanks
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

Re: update unrar ASAP

Post by andras0602 »

As I remember unrar-free can't handle the newer RAR formats which we mostly use these days. So why would you use that?
Btw. I could update all my my servers to P32, following this guide: https://wiki.zimbra.com/wiki/Zimbra_Rel ... P32#Redhat
So far so good. ;)
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: update unrar ASAP

Post by Klug »

Don't forget to install 7zip (yum install p7zip or apt install p7zip), because it's not installed by Zimbra (neither was unrar).
7224jobe
Outstanding Member
Outstanding Member
Posts: 283
Joined: Sat Sep 13, 2014 1:55 am
ZCS/ZD Version: 8.8.15_FOSS Patch38

Re: update unrar ASAP

Post by 7224jobe »

Hi, I followed ghen and Klug instructions, then I noticed that "yum install p7zip" installs /usr/bin/7za executable, and "7z" command is missing. Do I have to put "7za" where "7z" is used on github pull request linked by ghen (https://github.com/Zimbra/zm-amavis/pull/4/files)?

Edit: on CentOS 7 "yum whatprovides 7z" gives this result: p7zip-plugins-16.02-20.el7.x86_64 : Additional plugins for p7zip
Post Reply