https://www.theregister.co.uk/2018/04/04/microsoft_windows_defender_rar_bug/
A remote-code execution vulnerability in Windows Defender – a flaw that can be exploited by malicious .rar files to run malware on PCs – has been traced back to an open-source archiving tool Microsoft adopted for its own use.
[...] Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.
(Score: 0) by Anonymous Coward on Monday April 09 2018, @08:50PM (8 children)
Unrar is not open source and as far as I know it never was. It is distributed under a proprietary license with significant restrictions on usage and modifications.
(Score: 0) by Anonymous Coward on Monday April 09 2018, @09:06PM (1 child)
License:
https://www.win-rar.com/winrarlicense.html [win-rar.com]
Looks like unrar may be a bit different from rar (and gui version winrar), since there is the mention of source for unrar??
IANAL...
(Score: 0) by Anonymous Coward on Monday April 09 2018, @09:21PM
That's not the unrar license, although it includes parts of it. A web search turned up this copy of the license text [fedoraproject.org], which matches what is found in tar file you can download from rarlab.com.
Note that there are actual free unpackers for the RAR formats (e.g., libarchive) so there is no reason to use the proprietary unrar.
(Score: 2) by DannyB on Monday April 09 2018, @09:13PM
Shhhhhh! If unrar isn't open source, how will Microsoft be able to bad mouth open source?
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 1, Interesting) by Anonymous Coward on Monday April 09 2018, @09:41PM (1 child)
From the source code:
Might be perfectly legal, if you have good lawyers, because the license says "may be used [to open rar archives] without limitations free of charge" and restricting people from changing your source is such a restriction.
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @03:51AM
That doesn't sound like FOSS. That's proprietary with access to source code.
So people, beginning with Microsoft, lay all the blame for Microsoft's screw-up on FOSS, when the code wasn't even FOSS to begin with? Typical.
(Score: 3, Interesting) by FatPhil on Monday April 09 2018, @11:05PM (2 children)
This is what RMS keeps saying - the more-free licenses are worse, as they permit others to take desirable rights away.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @02:17PM (1 child)
Nobody who cares about free software gives two shits about Unrar's license being "too permissive".
Unrar is proprietary and Windows Defender is proprietary and both are bad.
TFA (quoting Google's Tavis Ormandy) calls unrar "open source" which is simply wrong.
(Score: 2) by FatPhil on Wednesday April 11 2018, @07:15PM
RedHat do (URL posted elsewhere by elsewho).
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves