|
|
Subscribe / Log in / New account

Ubuntu alert USN-7350-1 (unrar-nonfree)



From:
              Marc Deslauriers <marc.deslauriers@canonical.com>


To:
              "ubuntu-security-announce@lists.ubuntu.com" <ubuntu-security-announce@lists.ubuntu.com>


Subject:
              [USN-7350-1] UnRAR vulnerabilities


Date:
              Wed, 12 Mar 2025 16:03:07 -0400


Message-ID:
              <138ef2fd-08ec-48fb-a1c5-271aabd05738@canonical.com>


==========================================================================
Ubuntu Security Notice USN-7350-1
March 12, 2025

unrar-nonfree vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in UnRAR.

Software Description:
- unrar-nonfree: Unarchiver for .rar files

Details:

It was discovered that UnRAR incorrectly handled certain paths. If a user
or automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333, CVE-2022-48579)

It was discovered that UnRAR incorrectly handled certain recovery volumes.
If a user or automated system were tricked into extracting a specially
crafted RAR archive, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2023-40477)

Siddharth Dushantha discovered that UnRAR incorrectly handled ANSI escape
sequences when writing screen output. If a user or automated system were
tricked into processing a specially crafted RAR archive, a remote attacker
could possibly use this issue to spoof screen output or cause a denial of
service. (CVE-2024-33899)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
   libunrar5                       1:6.1.5-1ubuntu0.1
   unrar                           1:6.1.5-1ubuntu0.1

Ubuntu 20.04 LTS
   libunrar5                       1:5.6.6-2ubuntu0.1
   unrar                           1:5.6.6-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7350-1
   CVE-2022-30333, CVE-2022-48579, CVE-2023-40477, CVE-2024-33899

Package Information:
   https://launchpad.net/ubuntu/+source/unrar-nonfree/1:6.1....
   https://launchpad.net/ubuntu/+source/unrar-nonfree/1:5.6....





Attachment: OpenPGP_signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmfR6HsFAwAAAAAACgkQZWnYVadEvpMp
MA/8C44s7GkcmOb1ZuHsJhqmGWdVnq58jr5g3akF7Nip8qXnKfcCjvRkbDsJKV5UjfdeLoIEQyNU
H5W7kmnj8ZNI9YSKCearHZKwm6aZ5Z/lyI6CnVePL7a9QC+E4ulYwKWjN4lRm7xGhwKvOLSFhAGl
Qv9dC/4K5CUGywqWUTviENHsXPj89rQ0gnD3TbdGHUhO+L0kZmCGCu/b5bik73FKkR3H9TFiuOMt
tPPvpir+ImQclZOM6YQaq7t0eeLgDZhc2ojRiY1GkBZ3xdGCk8sAF2B5/EqPXt+t38YJUF8tczTI
BjcgBbZcboNGCPrHzPmbZj4WnnHn6iYKft0swmpk6lyuXRMw4SWpQViomOuvFiSwO5oKa/WbxT7a
7XtbxyVPbyjKAHwse24RJeq+BKuLqE+Z++5ac37MpfT2u8/D4DK8Sv6TskA1fMt0KiVo65Ziyr8N
GV5SwrQh3MsWdlx4gooYtJa8JgL4FDRuD0TQLrScO6v2B7Cfnd/4e1UuutPnrGdPUfIYWFlQcB3F
u50rpes6ykv0A4ai2ltp88+v5z0itU5krKHAqekPgrU80+7vdiDI/Dn3WbhTN2Pqj5eMSjoClwv0
QEwV51bMHpii96KXI6u4qRFKW4YCcXyfVdf/x276WMnzk5SQm8ECyyU86DDgzfv5BU3vNRbIvb0O
dXc=
=VPQT
-----END PGP SIGNATURE-----




Attachment: None (type=text/plain)
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds