Bug 30453 - unrar new security issue CVE-2022-30333
Summary: unrar new security issue CVE-2022-30333
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-05-20 16:02 CEST by Nicolas Salguero
Modified: 2022-05-25 20:47 CEST (History)
5 users (show)

See Also:
Source RPM: unrar-6.00-3.mga8.nonfree.src.rpm
CVE: CVE-2022-30333
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2022-05-20 16:02:42 CEST 
A CVE has been issued for a security issue in unrar:
https://www.suse.com/security/cve/CVE-2022-30333.html

The issue is fixed upstream in 6.1.7.

Mageia 8 is also affected.
Nicolas Salguero 2022-05-20 16:05:33 CEST

Status comment: (none) => Fixed upstream in 6.1.7
Assignee: bugsquad => nicolas.salguero
CC: (none) => nicolas.salguero
Source RPM: (none) => unrar-6.00-3.mga8.nonfree.src.rpm
Whiteboard: (none) => MGA8TOO
CVE: (none) => CVE-2022-30333

Comment 1 Nicolas Salguero 2022-05-20 16:28:54 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. (CVE-2022-30333)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30333
https://www.suse.com/security/cve/CVE-2022-30333.html
========================

Updated packages in nonfree/updates_testing:
========================
unrar-6.00-3.1.mga8.nonfree

from SRPM:
unrar-6.00-3.1.mga8.nonfree.src.rpm

Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 8
Status comment: Fixed upstream in 6.1.7 => (none)

Comment 2 Len Lawrence 2022-05-22 16:36:22 CEST 
test.rar from PC LX bug 21563
rar from http://www.rarlab.com/download.htm

Checked the operation of unrar before updating.
Afterwards:
Referring to Lewis on bug 21563

$ unrar t test.rar
UNRAR 6.00 freeware      Copyright (c) 1993-2020 Alexander Roshal
Testing archive test.rar
Testing     testrar/test.sha256                                       OK 
Testing     testrar/test_9.bin                                        OK 
[...]
Testing     testrar/test_1.bin                                        OK 
Testing     testrar/test_0.bin                                        OK 
Testing     testrar                                                   OK
All OK

$ unrar x test.rar
[...]
Extracting from test.rar
[...]
All OK
$ ls testrar
test_0.bin  test_2.bin  test_4.bin  test_6.bin  test_8.bin  test.sha256
test_1.bin  test_3.bin  test_5.bin  test_7.bin  test_9.bin
$ cd testrar
sha256sum --check test.sha256
test_0.bin: OK
[...]
test_9.bin: OK

Created a rar file using local copy of rar.
$ rar a images.rar wikimedia
$ mv wikimedia i/
$ unrar x images.rar
Extracting from images.rar
Creating    wikimedia                                                 OK
Extracting  wikimedia/Lamogi_Rebellion_site.jpg                       OK 
[...]
Extracting  wikimedia/Архитектурный_комплекс_Даргавс.jpg
Extracting  wikimedia/Ohtakarin_ilta.jpg                              OK 
All OK

All images restored.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2022-05-23 14:07:27 CEST 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-25 02:36:25 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-05-25 20:47:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0206.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.