Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
Hello, [ Reason ] I would like to update rar in bullseye because it is affected by CVE-2022-30333. This issue has been fixed in all other suites already and it makes sense to address this problem in bullseye too. A backport is the only sensible approach because rar is closed source. [ Impact ] The RAR archiver would continue to be vulnerable. [ Tests ] Unfortunately rar is just a non-free binary without source code, so I had to rely on manual testing. Since there was not enough information available to reproduce the problem, I created a normal rar archive with random files and folders and another one which consisted of several symlinks and files with relative paths. The extract operation seems to work correctly in both cases. [ Risks ] I'm not aware of any major changes like different command switches etc. but rar is non-free and closed source, so there is always some kind of risk. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [ ] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] I don't attach a debdiff because of the closed source binary of rar.
