CVE-2022-30333 (https://www.rarlab.com/rar/rarlinux-x32-612.tar.gz): https://www.rarlab.com/rar_add.htm RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected. References seem useless, and CVE descriptions aren't reliable. It should be verified that 6.12 actually fixes the issue. Since the description doesn't mention it, app-arch/unar should probably be checked as well.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abe68f25a84bae5737dbd9b2c3f513c58c993d16 commit abe68f25a84bae5737dbd9b2c3f513c58c993d16 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-05-31 03:01:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-05-31 03:01:44 +0000 app-arch/unrar: add 6.1.7 Bug: https://bugs.gentoo.org/843611 Signed-off-by: Sam James <sam@gentoo.org> app-arch/unrar/Manifest | 1 + app-arch/unrar/unrar-6.1.7.ebuild | 65 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+)
Please cleanup
*** Bug 849686 has been marked as a duplicate of this bug. ***
Clean.
Thanks!
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=2cdd606244f7dd25e671800d5ab92a7e8d6990eb commit 2cdd606244f7dd25e671800d5ab92a7e8d6990eb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-09-17 05:24:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-17 05:26:26 +0000 [ GLSA 202309-04 ] RAR, UnRAR: Arbitrary File Overwrite Bug: https://bugs.gentoo.org/843611 Bug: https://bugs.gentoo.org/849686 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202309-04.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+)