A CVE has been issued for a security issue in unrar: https://www.suse.com/security/cve/CVE-2022-30333.html The issue is fixed upstream in 6.1.7. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 6.1.7Assignee: bugsquad => nicolas.salgueroCC: (none) => nicolas.salgueroSource RPM: (none) => unrar-6.00-3.mga8.nonfree.src.rpmWhiteboard: (none) => MGA8TOOCVE: (none) => CVE-2022-30333
Suggested advisory: ======================== The updated package fixes a security vulnerability: RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. (CVE-2022-30333) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30333 https://www.suse.com/security/cve/CVE-2022-30333.html ======================== Updated packages in nonfree/updates_testing: ======================== unrar-6.00-3.1.mga8.nonfree from SRPM: unrar-6.00-3.1.mga8.nonfree.src.rpm
Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsVersion: Cauldron => 8Status comment: Fixed upstream in 6.1.7 => (none)
test.rar from PC LX bug 21563 rar from http://www.rarlab.com/download.htm Checked the operation of unrar before updating. Afterwards: Referring to Lewis on bug 21563 $ unrar t test.rar UNRAR 6.00 freeware Copyright (c) 1993-2020 Alexander Roshal Testing archive test.rar Testing testrar/test.sha256 OK Testing testrar/test_9.bin OK [...] Testing testrar/test_1.bin OK Testing testrar/test_0.bin OK Testing testrar OK All OK $ unrar x test.rar [...] Extracting from test.rar [...] All OK $ ls testrar test_0.bin test_2.bin test_4.bin test_6.bin test_8.bin test.sha256 test_1.bin test_3.bin test_5.bin test_7.bin test_9.bin $ cd testrar sha256sum --check test.sha256 test_0.bin: OK [...] test_9.bin: OK Created a rar file using local copy of rar. $ rar a images.rar wikimedia $ mv wikimedia i/ $ unrar x images.rar Extracting from images.rar Creating wikimedia OK Extracting wikimedia/Lamogi_Rebellion_site.jpg OK [...] Extracting wikimedia/Архитектурный_комплекс_Даргавс.jpg Extracting wikimedia/Ohtakarin_ilta.jpg OK All OK All images restored.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0206.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED