CVE-2022-30333

NameCVE-2022-30333
DescriptionRARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1010837, 1012228

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rar (PTS)buster/non-free, bullseye/non-free2:5.5.0-1vulnerable
bookworm/non-free, sid/non-free2:6.20~b1-0.1fixed
unrar-nonfree (PTS)buster/non-free1:5.6.6-1+deb10u1fixed
bullseye/non-free1:6.0.3-1+deb11u1fixed
bookworm/non-free, sid/non-free1:6.2.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rarsource(unstable)2:6.20~b1-0.11012228
unrar-nonfreesourcebuster1:5.6.6-1+deb10u1
unrar-nonfreesourcebullseye1:6.0.3-1+deb11u1
unrar-nonfreesource(unstable)1:6.1.7-11010837

Notes

[stretch] - unrar-nonfree <no-dsa> (Non-free not supported)
[bullseye] - rar <no-dsa> (Non-free not supported)
[buster] - rar <no-dsa> (Non-free not supported)
[stretch] - rar <no-dsa> (Non-free not supported)
6.12 application version corresponds to 6.1.7 source version:
https://github.com/debian-calibre/unrar-nonfree/compare/upstream/6.1.6...upstream/6.1.7

Search for package or bug name: Reporting problems