package: unrar severity: grave tags: security ---------- Forwarded Message ---------
From: Simon Scannell <simon.scann...@sonarsource.com> Subject: CVE-2022-30333 (unrar file write vulnerability) patch not yet available for Debian 10 packages Date: May 11 2022, at 6:08 am To: m...@debian.org Cc: Vulnerability Research Team <vulnerability.resea...@sonarsource.com> > Dear Martin, > > I am contacting you as you are listed as the maintainer for the unrar > package for Debian 10 as listed here: > https://debian.pkgs.org/10/debian-nonfree-arm64/unrar_5.6.6-1_arm64.deb.html > > We recently reported a vulnerability (CVE-2022-30333) to RarLab. It is > a File Write vulnerability that allows an attacker to write a file > outside of a target extraction dir when unarchiving an untrusted RAR > archive. We have identified a high profile software that is affected > by this vulnerability. > > The vulnerability has been patched in RarLab's upstream version 6.12 > (https://www.rarlab.com/download.htm ). > > If the changelog file is up to date, it seems like the package has not > been updated yet, so no fix is available for users. > > Please view this email as a friendly heads up about this issue. Once > the package is updated, users can secure themselves. > > Thank you, > Simon Scannell | Sonar > > Vulnerability Researcher > Twitter: @scannell_simon > https://sonarsource.com
