Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 849686

Summary: <app-arch/rar-6.12: extract directory traversal/file overwrite
Product: Gentoo Security Reporter: Vasilis Lourdas <bugs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: conikost, jstein, whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=843611
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 849689    

Description Vasilis Lourdas 2022-06-04 15:47:14 UTC
Hi,

Version 6.12 fixes the CVE-2022-30333 advisory with a high security rating (7.5). Could we please have it in the tree?

Thank you!
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-04 15:55:59 UTC

*** This bug has been marked as a duplicate of bug 843611 ***
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-04 15:57:28 UTC
Oh, sorry. Not a dupe, but they should've gotten another CVE for the different packages affected.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-04 15:58:54 UTC
And the maintainer has not been around recently, feel free to make a PR for a bump.
Comment 4 Larry the Git Cow gentoo-dev 2022-06-05 14:06:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16ed2b8e5a486f3b475dbc4c1458316e0079c51a

commit 16ed2b8e5a486f3b475dbc4c1458316e0079c51a
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2022-06-05 14:03:06 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-06-05 14:06:06 +0000

    app-arch/rar: drop 6.0.2_p20210611, 6.10_p20220124
    
    Bug: https://bugs.gentoo.org/849686
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 app-arch/rar/Manifest                   |   6 --
 app-arch/rar/rar-6.0.2_p20210611.ebuild | 109 --------------------------------
 app-arch/rar/rar-6.10_p20220124.ebuild  | 109 --------------------------------
 3 files changed, 224 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=961a398fc3b2e1b95767fa06429f9bd8daec4a4a

commit 961a398fc3b2e1b95767fa06429f9bd8daec4a4a
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2022-06-05 14:01:42 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-06-05 14:06:05 +0000

    app-arch/rar: x86 stable
    
    Bug: https://bugs.gentoo.org/849686
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 app-arch/rar/rar-6.12.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e2c5da3d2d50d56eeb8460540c5783f34430b74

commit 6e2c5da3d2d50d56eeb8460540c5783f34430b74
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2022-06-05 14:00:11 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-06-05 14:06:04 +0000

    app-arch/rar: add 6.12
    
    Bug: https://bugs.gentoo.org/849686
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 app-arch/rar/Manifest        |   3 ++
 app-arch/rar/rar-6.12.ebuild | 121 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-05 15:06:33 UTC
Thanks!
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-13 04:14:29 UTC
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2023-09-17 05:26:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2cdd606244f7dd25e671800d5ab92a7e8d6990eb

commit 2cdd606244f7dd25e671800d5ab92a7e8d6990eb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-17 05:24:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-17 05:26:26 +0000

    [ GLSA 202309-04 ] RAR, UnRAR: Arbitrary File Overwrite
    
    Bug: https://bugs.gentoo.org/843611
    Bug: https://bugs.gentoo.org/849686
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202309-04.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)