UbuntuUpdates.org

Package "libunrar5"

Name: libunrar5

Description:

Unarchiver for .rar files (non-free version) - shared library
Latest version: 1:5.6.6-2ubuntu0.1
Release: focal (20.04)
Level: security
Repository: multiverse
Head package: unrar-nonfree
Homepage: http://www.rarlabs.com/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libunrar5"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libunrar5" in Focal

Repository Area Version
base multiverse 1:5.6.6-2build1
updates multiverse 1:5.6.6-2ubuntu0.1

Changelog

Version: 1:5.6.6-2ubuntu0.1 2025-03-12 20:07:04 UTC

  unrar-nonfree (1:5.6.6-2ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue
    - debian/patches/CVE-2022-30333.patch: introduce and use SafeCharToWide
      in ulinks.cpp.
    - CVE-2022-30333
  * SECURITY UPDATE: directory traversal via symlink chains
    - debian/patches/CVE-2022-48579.patch: properly handle symlinks in
      arcread.cpp, extinfo.cpp, extinfo.hpp, extract.cpp, extract.hpp,
      hardlinks.cpp, model.cpp, os.hpp, pathfn.cpp, timefn.hpp, ulinks.cpp,
      win32stm.cpp.
    - CVE-2022-48579
  * SECURITY UPDATE: code exec via recovery volume index validation
    - debian/patches/CVE-2023-40477.patch: improve checks in getbits.cpp,
      pathfn.cpp, recvol3.cpp, secpassword.cpp.
    - CVE-2023-40477
  * SECURITY UPDATE: ANSI escape sequence issue
    - debian/patches/CVE-2024-33899.patch: replace ESC in consio.cpp,
      log.cpp, strfn.cpp, strfn.hpp, resource.cpp, resource.hpp.
    - CVE-2024-33899

 -- Marc Deslauriers <email address hidden> Fri, 07 Mar 2025 07:19:04 -0500
CVE-2022-30333 RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by
CVE-2022-48579 UnRAR before 6.2.3 allows extraction of files outside of the destination folder via symlink chains.
CVE-2023-40477 RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to e
CVE-2024-33899 RARLAB WinRAR before 7.00, on Linux and UNIX platforms, allows attackers to spoof the screen output, or cause a denial of service, via ANSI escape se


About   -   Send Feedback to @ubuntu_updates