Debian Bug report logs -
#1050080
unrar: Fix CVE-2022-48579 for Debian 11
Reported by: YOKOTA Hiroshi <yokota.hgml@gmail.com>
Date: Sat, 19 Aug 2023 13:09:02 UTC
Severity: normal
Tags: security
Found in version unrar-nonfree/1:6.0.3-1+deb11u1
Fixed in versions unrar-nonfree/1:5.6.6-1+deb10u2, unrar-nonfree/1:6.2.3-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, yokota.hgml@gmail.com, apo@debian.org, team@security.debian.org, UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
:
Bug#1050080
; Package unrar
.
(Sat, 19 Aug 2023 13:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to YOKOTA Hiroshi <yokota.hgml@gmail.com>
:
New Bug report received and forwarded. Copy sent to yokota.hgml@gmail.com, apo@debian.org, team@security.debian.org, UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
.
(Sat, 19 Aug 2023 13:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: unrar
Version: 1:6.0.3-1+deb11u1
Severity: normal
X-Debbugs-Cc: yokota.hgml@gmail.com, apo@debian.org, team@security.debian.org
CVE-2022-48579 was fixed at unrar-nonfree/1:5.6.6-1+deb10u2 in Debian 10
by Debian LTS team ( DLA-3535-1 ).
The fix patch for Debian 10 can be apply for Debian 11.
Fix patch for CVE-2022-48579
Debian 10: https://github.com/debian-calibre/unrar-
nonfree/commit/28eb57cb85aa656b7cda0e2f6a282c09f7351272
Debian 11: https://github.com/debian-calibre/unrar-
nonfree/commit/5daa9b93c099bd0219528d26778835ca1f6896da
FYI: CVE-2022-48579 was already fixed in 1:6.2.3-1 in Debian sid.
--
YOKOTA Hiroshi
Information forwarded
to debian-bugs-dist@lists.debian.org, UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
:
Bug#1050080
; Package unrar
.
(Sat, 19 Aug 2023 13:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
.
(Sat, 19 Aug 2023 13:18:03 GMT) (full text, mbox, link).
Message #10 received at 1050080@bugs.debian.org (full text, mbox, reply):
Hi,
On Sat, Aug 19, 2023 at 10:04:40PM +0900, YOKOTA Hiroshi wrote:
> Package: unrar
> Version: 1:6.0.3-1+deb11u1
> Severity: normal
> X-Debbugs-Cc: yokota.hgml@gmail.com, apo@debian.org, team@security.debian.org
>
>
> CVE-2022-48579 was fixed at unrar-nonfree/1:5.6.6-1+deb10u2 in Debian 10
> by Debian LTS team ( DLA-3535-1 ).
> The fix patch for Debian 10 can be apply for Debian 11.
>
> Fix patch for CVE-2022-48579
> Debian 10: https://github.com/debian-calibre/unrar-
> nonfree/commit/28eb57cb85aa656b7cda0e2f6a282c09f7351272
> Debian 11: https://github.com/debian-calibre/unrar-
> nonfree/commit/5daa9b93c099bd0219528d26778835ca1f6896da
>
>
> FYI: CVE-2022-48579 was already fixed in 1:6.2.3-1 in Debian sid.
FWIW, does not warrant a DSA, but can be fixed via upcoming point
release.
Regards,
Salvatore
Marked as fixed in versions unrar-nonfree/1:6.2.3-1.
Request was from yokota <yokota.hgml@gmail.com>
to control@bugs.debian.org
.
(Sat, 19 Aug 2023 13:21:03 GMT) (full text, mbox, link).
Marked as fixed in versions unrar-nonfree/1:5.6.6-1+deb10u2.
Request was from yokota <yokota.hgml@gmail.com>
to control@bugs.debian.org
.
(Sat, 19 Aug 2023 13:21:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
:
Bug#1050080
; Package unrar
.
(Sat, 19 Aug 2023 13:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to yokota <yokota.hgml@gmail.com>
:
Extra info received and forwarded to list. Copy sent to UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
.
(Sat, 19 Aug 2023 13:24:03 GMT) (full text, mbox, link).
Message #19 received at 1050080@bugs.debian.org (full text, mbox, reply):
Hello Salvatore,
> FWIW, does not warrant a DSA, but can be fixed via upcoming point
> release.
Thank you.
I will try to do that.
--
YOKOTA Hiroshi
Information forwarded
to debian-bugs-dist@lists.debian.org, UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
:
Bug#1050080
; Package unrar
.
(Sat, 19 Aug 2023 13:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
.
(Sat, 19 Aug 2023 13:33:02 GMT) (full text, mbox, link).
Message #24 received at 1050080@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
I wanted to prepare a fix for CVE-2022-48579 in Bullseye and release it via a
bullsye point update. Do you want to take care of the upload instead?
Regards,
Markus
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
:
Bug#1050080
; Package unrar
.
(Sun, 20 Aug 2023 00:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to yokota <yokota.hgml@gmail.com>
:
Extra info received and forwarded to list. Copy sent to UnRar maintainer team <team+unrar-nonfree@tracker.debian.org>
.
(Sun, 20 Aug 2023 00:21:02 GMT) (full text, mbox, link).
Message #29 received at 1050080@bugs.debian.org (full text, mbox, reply):
Hello Markus,
> I wanted to prepare a fix for CVE-2022-48579 in Bullseye and release it via a
> bullsye point update. Do you want to take care of the upload instead?
Thank you.
So, please upload bullseye fix via point update by you.
My current Git status is here.
https://github.com/debian-calibre/unrar-nonfree/tree/bullseye-update
Close this bug report when the bug was fixed.
--
YOKOTA Hiroshi
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 22 Aug 2023 20:24:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Aug 23 17:51:21 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.