Bug#1050044: bullseye-pu: package rar/2:5.5.0-1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org
Hello,
[ Reason ]
I would like to update rar in bullseye because it is affected by
CVE-2022-30333. This issue has been fixed in all other suites already
and it makes sense to address this problem in bullseye too. A backport
is the only sensible approach because rar is closed source.
[ Impact ]
The RAR archiver would continue to be vulnerable.
[ Tests ]
Unfortunately rar is just a non-free binary without source code, so I
had to rely on manual testing. Since there was not enough information
available to reproduce the problem, I created a normal rar archive
with random files and folders and another one which consisted of
several symlinks and files with relative paths. The extract operation
seems to work correctly in both cases.
[ Risks ]
I'm not aware of any major changes like different command switches
etc. but rar is non-free and closed source, so there is always some
kind of risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[ ] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
I don't attach a debdiff because of the closed source binary of rar.
Reply to: