| Package | unrar-nonfree |
|---|---|
| Version | 1:5.6.6-1+deb9u1 (stretch) |
| Related CVEs | CVE-2017-12938 CVE-2017-12940 CVE-2017-12941 CVE-2017-12942 CVE-2017-20006 CVE-2018-25018 CVE-2022-30333 CVE-2022-48579 |
It was discovered that UnRAR, an unarchiver for rar files, allows extraction of files outside of the destination folder via symlink chains. Programming flaws like heap-based buffer overflows or out-of-bounds reads may also cause a denial of service (application crash) if a malformed rar archive is extracted.
For Debian 9 stretch, these problems have been fixed in version 1:5.6.6-1+deb9u1.
We recommend that you upgrade your unrar-nonfree packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.