Version in base suite: 6.20-0.1 Base version: rar_6.20-0.1 Target version: rar_6.23-1~deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/non-free/r/rar/rar_6.20-0.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/non-free/r/rar/rar_6.23-1~deb12u1.dsc /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/amd64/default.sfx |binary /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/amd64/rar |binary /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/amd64/unrar |binary /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/default.sfx |binary /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/rar |binary /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/unrar |binary rar-6.23/amd64/rar.txt | 2 rar-6.23/amd64/whatsnew.txt | 30 ++++++++++ rar-6.23/debian/changelog | 19 ++++++ rar-6.23/debian/control | 1 rar-6.23/rar.txt | 2 rar-6.23/whatsnew.txt | 30 ++++++++++ 12 files changed, 82 insertions(+), 2 deletions(-) Binary files /srv/release.debian.org/tmp/oamQsqUWgh/rar-6.20/amd64/default.sfx and /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/amd64/default.sfx differ Binary files /srv/release.debian.org/tmp/oamQsqUWgh/rar-6.20/amd64/rar and /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/amd64/rar differ diff -Nru rar-6.20/amd64/rar.txt rar-6.23/amd64/rar.txt --- rar-6.20/amd64/rar.txt 2023-01-17 16:29:25.000000000 +0000 +++ rar-6.23/amd64/rar.txt 2023-08-01 09:29:05.000000000 +0000 @@ -1,6 +1,6 @@ User's Manual ~~~~~~~~~~~~~ - RAR 6.20 console version + RAR 6.23 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Binary files /srv/release.debian.org/tmp/oamQsqUWgh/rar-6.20/amd64/unrar and /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/amd64/unrar differ diff -Nru rar-6.20/amd64/whatsnew.txt rar-6.23/amd64/whatsnew.txt --- rar-6.20/amd64/whatsnew.txt 2023-01-17 16:29:25.000000000 +0000 +++ rar-6.23/amd64/whatsnew.txt 2023-08-01 09:29:05.000000000 +0000 @@ -1,6 +1,36 @@ RAR - What's new in the latest version + Version 6.23 + + 1. Bugs fixed: + + a) a security issue involving out of bounds write is fixed + in RAR4 recovery volumes processing code. + + We are thankful to goodbyeselene working with Trend Micro Zero Day + Initiative for letting us know about this bug. + + + Version 6.22 + + 1. Bugs fixed: + + a) extracting individual files from solid archives created by + RAR versions older than 2.0, could fail in RAR 6.20 and 6.21. + It didn't affect extracting the entire archive, which was performed + correctly. + + + Version 6.21 + + 1. Bugs fixed: + + a) if unencrypted file was stored after encrypted in the same + RAR archive and both files had been unpacked in the same extraction + command, RAR 6.20 failed to unpack the unencrypted file. + + Version 6.20 1. Fixed the security vulnerability allowing to create unpacked files diff -Nru rar-6.20/debian/changelog rar-6.23/debian/changelog --- rar-6.20/debian/changelog 2023-01-27 17:37:39.000000000 +0000 +++ rar-6.23/debian/changelog 2023-08-27 05:38:21.000000000 +0000 @@ -1,3 +1,22 @@ +rar (2:6.23-1~deb12u1) bookworm; urgency=high + + * Non-maintainer upload. + * Fix CVE-2023-40477: + A specific flaw within the processing of recovery volumes exists in RAR, + an archive program for rar files. It allows remote attackers to execute + arbitrary code on affected installations. User interaction is required to + exploit this vulnerability. The target must visit a malicious page or open + a malicious rar file. + + -- Markus Koschany Sun, 27 Aug 2023 07:38:21 +0200 + +rar (2:6.23-1) unstable; urgency=medium + + * New upstream version (Closes: #1049870) + * Add myself to Uploaders (Closes: #1049871) + + -- Bastian Germann Wed, 16 Aug 2023 17:28:59 +0200 + rar (2:6.20-0.1) unstable; urgency=medium * Non-maintainer upload diff -Nru rar-6.20/debian/control rar-6.23/debian/control --- rar-6.20/debian/control 2022-10-26 17:10:57.000000000 +0000 +++ rar-6.23/debian/control 2023-08-16 15:28:59.000000000 +0000 @@ -3,6 +3,7 @@ XS-Autobuild: yes Priority: optional Maintainer: Martin Meredith +Uploaders: Bastian Germann Build-Depends: debhelper-compat (= 12) Standards-Version: 3.9.8 Homepage: https://www.rarlabs.com/ Binary files /srv/release.debian.org/tmp/oamQsqUWgh/rar-6.20/default.sfx and /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/default.sfx differ Binary files /srv/release.debian.org/tmp/oamQsqUWgh/rar-6.20/rar and /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/rar differ diff -Nru rar-6.20/rar.txt rar-6.23/rar.txt --- rar-6.20/rar.txt 2023-01-17 16:28:06.000000000 +0000 +++ rar-6.23/rar.txt 2023-08-01 09:28:30.000000000 +0000 @@ -1,6 +1,6 @@ User's Manual ~~~~~~~~~~~~~ - RAR 6.20 console version + RAR 6.23 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Binary files /srv/release.debian.org/tmp/oamQsqUWgh/rar-6.20/unrar and /srv/release.debian.org/tmp/aJG_ydcMdY/rar-6.23/unrar differ diff -Nru rar-6.20/whatsnew.txt rar-6.23/whatsnew.txt --- rar-6.20/whatsnew.txt 2023-01-17 16:28:06.000000000 +0000 +++ rar-6.23/whatsnew.txt 2023-08-01 09:28:30.000000000 +0000 @@ -1,6 +1,36 @@ RAR - What's new in the latest version + Version 6.23 + + 1. Bugs fixed: + + a) a security issue involving out of bounds write is fixed + in RAR4 recovery volumes processing code. + + We are thankful to goodbyeselene working with Trend Micro Zero Day + Initiative for letting us know about this bug. + + + Version 6.22 + + 1. Bugs fixed: + + a) extracting individual files from solid archives created by + RAR versions older than 2.0, could fail in RAR 6.20 and 6.21. + It didn't affect extracting the entire archive, which was performed + correctly. + + + Version 6.21 + + 1. Bugs fixed: + + a) if unencrypted file was stored after encrypted in the same + RAR archive and both files had been unpacked in the same extraction + command, RAR 6.20 failed to unpack the unencrypted file. + + Version 6.20 1. Fixed the security vulnerability allowing to create unpacked files