Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: yokota.hgml@gmail.com [ Reason ] Fix CVE-2022-30333 and its corresponding RC bug. [ Impact ] CVE-2022-30333 is directory traversal vulnerability. It write to files during an extract operation on outside of extraction directory. [ Tests ] Compiled executable file passes current autopkgtest in Debian sid. [ Risks ] Test case of CVE-2022-30333 is not available. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Add patch to fix CVE-2022-30333. This patch was taken from diff file between unrar 6.1.6 and 6.1.7. [ Other info ] Upstream developer uses both application version and source version. Upstream says this security vulnerability is fixed in application version 6.12. Application version 6.12's corresponding source version is 6.1.7. CVE-2022-30333 was fixed in source version 6.1.7. -- YOKOTA Hiroshi
Attachment:
unrar-nonfree-bullseye-update-1:6.0.3-1+deb11u1.debdiff
Description: Binary data