Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: yokota.h...@gmail.com
[ Impact ] CVE-2022-30333 is directory traversal vulnerability. It write to files during an extract operation on outside of extraction directory. [ Tests ] Compiled executable file passes current autopkgtest in Debian sid. [ Risks ] Test case of CVE-2022-30333 is not available. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Add patch to fix CVE-2022-30333. This patch was taken from diff file between unrar 6.1.6 and 6.1.7. [ Other info ] Upstream developer uses both application version and source version. Upstream says this security vulnerability is fixed in application version 6.12. Application version 6.12's corresponding source version is 6.1.7. CVE-2022-30333 was fixed in source version 6.1.7. -- YOKOTA Hiroshi
unrar-nonfree-buster-update-1:5.6.6-1+deb10u1.debdiff
Description: Binary data
