Gentoo update for RAR, UnRAR

Published: 2023-09-17

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2022-30333 CVE-2023-40477
CWE-ID	CWE-22 CWE-129
Exploitation vector	Network
Public exploit	Vulnerability #1 is being exploited in the wild.
Vulnerable software Subscribe	Gentoo Linux Operating systems & Components / Operating system app-arch/unrar Operating systems & Components / Operating system package or component app-arch/rar Operating systems & Components / Operating system package or component
Vendor	Gentoo

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU62908

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-30333

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences when extracting files from archive. A remote attacker can create a specially crafted archive and overwrite arbitrary files on the system with privileges of the current user.

The vulnerability affects Linux and UNIX systems.

Mitigation

Update the affected packages.
app-arch/rar to version: 6.23
app-arch/unrar to version: 6.2.10

Vulnerable software versions

Gentoo Linux: All versions

app-arch/unrar: before 6.2.10

app-arch/rar: before 6.23

Fixed software versions

CPE2.3

cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*

External links

http://security.gentoo.org/glsa/202309-04

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper Validation of Array Index

EUVDB-ID: #VU79711

Risk: High