CVE-2022-30333

NameCVE-2022-30333
DescriptionRARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3534-1
Debian Bugs1010837, 1012228

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rar (PTS)buster/non-free2:5.5.0-1vulnerable
buster/non-free (security)2:6.23-1~deb10u1fixed
bullseye/non-free2:6.23-1~deb11u1fixed
bookworm/non-free2:6.23-1~deb12u1fixed
trixie/non-free, sid/non-free2:7.00-1fixed
unrar-nonfree (PTS)buster/non-free1:5.6.6-1+deb10u1fixed
buster/non-free (security)1:5.6.6-1+deb10u4fixed
bullseye/non-free1:6.0.3-1+deb11u3fixed
bookworm/non-free1:6.2.6-1+deb12u1fixed
trixie/non-free1:7.0.6-1fixed
sid/non-free1:7.0.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rarsourcebuster2:6.20-0.1~deb10u1DLA-3534-1
rarsourcebullseye2:6.20-0.1~deb11u1
rarsource(unstable)2:6.20~b1-0.11012228
unrar-nonfreesourcebuster1:5.6.6-1+deb10u1
unrar-nonfreesourcebullseye1:6.0.3-1+deb11u1
unrar-nonfreesource(unstable)1:6.1.7-11010837

Notes

[stretch] - unrar-nonfree <no-dsa> (Non-free not supported)
[stretch] - rar <no-dsa> (Non-free not supported)
6.12 application version corresponds to 6.1.7 source version:
https://github.com/debian-calibre/unrar-nonfree/compare/upstream/6.1.6...upstream/6.1.7
Search for package or bug name: Reporting problems