CVE-2022-30333 (unrar file write vulnerability) patch not yet available for Ubuntu packages
Simon Scannell
simon.scannell at sonarsource.com
Wed May 11 05:03:38 UTC 2022
Dear Ubuntu maintainers,
We recently reported a vulnerability (CVE-2022-30333) to RarLab. It is a
File Write vulnerability that allows an attacker to write a file outside of
a target extraction dir when unarchiving an untrusted RAR archive. We have
identified a high profile software that is affected by this vulnerability.
The vulnerability has been patched in RarLab's upstream version 6.12 (
https://www.rarlab.com/download.htm ).
The ubuntu package does not seem to have updated to the latest version yet
(assuming
http://changelogs.ubuntu.com/changelogs/pool/multiverse/u/unrar-nonfree/unrar-nonfree_6.1.5-1/changelog
is up to date).
Please view this email as a friendly heads up about this issue. Once the
package is updated, users can secure themselves.
Thank you,
Simon Scannell | Sonar
Vulnerability Researcher
Twitter: @scannell_simon
https://sonarsource.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-motu/attachments/20220511/04e11775/attachment.html>
More information about the Ubuntu-motu
mailing list