Your message dated Sun, 29 May 2022 18:02:23 +0000
with message-id <e1nvnf9-000j1s...@fasolo.debian.org>
and subject line Bug#1010837: fixed in unrar-nonfree 1:6.0.3-1+deb11u1
has caused the Debian Bug report #1010837,
regarding CVE-2022-30333 (unrar file write vulnerability) patch not yet
available for Debian 10 packages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1010837: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010837
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: unrar
severity: grave
tags: security
---------- Forwarded Message ---------
From: Simon Scannell <simon.scann...@sonarsource.com>
Subject: CVE-2022-30333 (unrar file write vulnerability) patch not yet
available for Debian 10 packages
Date: May 11 2022, at 6:08 am
To: m...@debian.org
Cc: Vulnerability Research Team <vulnerability.resea...@sonarsource.com>
> Dear Martin,
>
> I am contacting you as you are listed as the maintainer for the unrar
> package for Debian 10 as listed here:
> https://debian.pkgs.org/10/debian-nonfree-arm64/unrar_5.6.6-1_arm64.deb.html
>
> We recently reported a vulnerability (CVE-2022-30333) to RarLab. It is
> a File Write vulnerability that allows an attacker to write a file
> outside of a target extraction dir when unarchiving an untrusted RAR
> archive. We have identified a high profile software that is affected
> by this vulnerability.
>
> The vulnerability has been patched in RarLab's upstream version 6.12
> (https://www.rarlab.com/download.htm ).
>
> If the changelog file is up to date, it seems like the package has not
> been updated yet, so no fix is available for users.
>
> Please view this email as a friendly heads up about this issue. Once
> the package is updated, users can secure themselves.
>
> Thank you,
> Simon Scannell | Sonar
>
> Vulnerability Researcher
> Twitter: @scannell_simon
> https://sonarsource.com
--- End Message ---
--- Begin Message ---
Source: unrar-nonfree
Source-Version: 1:6.0.3-1+deb11u1
Done: YOKOTA Hiroshi <yokota.h...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
unrar-nonfree, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1010...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
YOKOTA Hiroshi <yokota.h...@gmail.com> (supplier of updated unrar-nonfree
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 May 2022 20:26:16 +0900
Source: unrar-nonfree
Architecture: source
Version: 1:6.0.3-1+deb11u1
Distribution: bullseye
Urgency: high
Maintainer: UnRar maintainer team <team+unrar-nonf...@tracker.debian.org>
Changed-By: YOKOTA Hiroshi <yokota.h...@gmail.com>
Closes: 1010837
Changes:
unrar-nonfree (1:6.0.3-1+deb11u1) bullseye; urgency=high
.
* Fix CVE-2022-30333 (Closes: #1010837)
Checksums-Sha1:
ee17fdc4b521a63ac0af502bb85d9a52e5800171 2343 unrar-nonfree_6.0.3-1+deb11u1.dsc
b64c1bd7b4df78e3e228df5495591ec73e9c5535 10472
unrar-nonfree_6.0.3-1+deb11u1.debian.tar.xz
e3f33ee836ccf0732fbdbd5fb8715cb9ac453d81 5656
unrar-nonfree_6.0.3-1+deb11u1_source.buildinfo
Checksums-Sha256:
25d0659782d6b07a6772e994bb27cb668037790d4e9665f73ef76189a07d1e34 2343
unrar-nonfree_6.0.3-1+deb11u1.dsc
d7b04a071d770b75b0b3fc3aee5ecce20c2a74fc875d6277f9c96954deee2575 10472
unrar-nonfree_6.0.3-1+deb11u1.debian.tar.xz
f66a5401d49a57d1619527d8b1241fe186683e2901edda62afb69403f3304b04 5656
unrar-nonfree_6.0.3-1+deb11u1_source.buildinfo
Files:
151645b25a458c7b1e193202b45335fe 2343 non-free/utils optional
unrar-nonfree_6.0.3-1+deb11u1.dsc
a9665e3a45c512ca6b88b558c17f883e 10472 non-free/utils optional
unrar-nonfree_6.0.3-1+deb11u1.debian.tar.xz
02732f88a165fa9d2dcefd92ce9f3dae 5656 non-free/utils optional
unrar-nonfree_6.0.3-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEErjlfKHqxT11VFyPEqem2T5LebcoFAmKS69cWHHlva290YS5o
Z21sQGdtYWlsLmNvbQAKCRCp6bZPkt5tyqs2EACsqs+0OfW8uNVr5ypQ7yhtfD/5
qFgj3a50x2s+H5lEH1U79niTL3+ZlWdpYhjD7iUfVsl21uLWawckYJXlN420VrVh
fRSrdXGp1TANnMnr1Vsi0TqoTzswJo+LfEdcwnoEETlMP+2nd07gdpcGnv9uEsF9
yNwmtht3RKn05+SGFTfrlN4mGs95xgh83B9CLUl3wHbrphq3V9h1aRrdJZC4FOd3
qKtd2/zRrruRVuQRRupgFuRMpJvJBoBHnpXAU3bmHxKamXHOaembxvVh3l5MBi4C
3tuXXaz86kvYQvPS1kd7dCpZ7IYUnT+vjduuO0EJ7xG9eggvJkuaeKtcZNm4+E4B
dr2K+BFXJDoSQDIYZMEAXovhNHYJsCaFku8u8Y9xdpOT3ZyqKqHwz/9Lb7kvP5tV
g1ADEHLucRoeaHpViu/RnySXc+Jh08/Cc8/jRPCYh2y9KayUiYfZaqep1MKCqMIg
cj61ssFTPqZWyve+1YpfDP4yLQen+6XWFBM7BV9ToLkeh2fHSd5XhtIaxhJSkmzW
EAA4UEaDeuKhA/jsBlNzz4eTFccKc5SVGbNd1lr3eHtSBLuq51DuXuPLOHoQQ6N3
L67RZT8jZDek40iUzOhW5M3cpzwQae5tqMoWy3xtEYkSa7f0RtL1DSQ/hedM81jV
Wo/gOrzXN42Rzt5+MQ==
=OFXb
-----END PGP SIGNATURE-----
--- End Message ---
