Debian 10032 Published by

A unrar-nonfree security update has been released for Debian GNU/Linux 9 Extended LTS to address an issue that allowed the extraction of files outside of the destination folder via symlink chains.



ELA-921-1 unrar-nonfree security update

Package : unrar-nonfree
Version : 1:5.6.6-1+deb9u1 (stretch)

Related CVEs :
CVE-2017-12938
CVE-2017-12940
CVE-2017-12941
CVE-2017-12942
CVE-2017-20006
CVE-2018-25018
CVE-2022-30333
CVE-2022-48579

It was discovered that UnRAR, an unarchiver for rar files, allows extraction of
files outside of the destination folder via symlink chains. Programming flaws
like heap-based buffer overflows or out-of-bounds reads may also cause a denial
of service (application crash) if a malformed rar archive is extracted.

ELA-921-1 unrar-nonfree security update