Version in base suite: 5.6.6-1

Base version: unrar-nonfree_5.6.6-1
Target version: unrar-nonfree_5.6.6-1+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/non-free/u/unrar-nonfree/unrar-nonfree_5.6.6-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/non-free/u/unrar-nonfree/unrar-nonfree_5.6.6-1+deb10u1.dsc

 changelog                   |    6 +++
 patches/CVE-2022-30333.diff |   76 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 83 insertions(+)

diff -Nru unrar-nonfree-5.6.6/debian/changelog unrar-nonfree-5.6.6/debian/changelog
--- unrar-nonfree-5.6.6/debian/changelog	2018-10-24 02:00:16.000000000 +0000
+++ unrar-nonfree-5.6.6/debian/changelog	2022-05-10 12:00:00.000000000 +0000
@@ -1,3 +1,9 @@
+unrar-nonfree (1:5.6.6-1+deb10u1) buster; urgency=high
+
+  * Fix CVE-2022-30333 (Closes: #1010837)
+
+ -- YOKOTA Hiroshi <yokota.hgml@gmail.com>  Tue, 10 May 2022 21:00:00 +0900
+
 unrar-nonfree (1:5.6.6-1) unstable; urgency=medium
 
   * add myself to uploaders with Martin's consent, 
diff -Nru unrar-nonfree-5.6.6/debian/patches/CVE-2022-30333.diff unrar-nonfree-5.6.6/debian/patches/CVE-2022-30333.diff
--- unrar-nonfree-5.6.6/debian/patches/CVE-2022-30333.diff	1970-01-01 00:00:00.000000000 +0000
+++ unrar-nonfree-5.6.6/debian/patches/CVE-2022-30333.diff	2022-05-10 12:00:00.000000000 +0000
@@ -0,0 +1,76 @@
+From: YOKOTA Hiroshi <yokota.hgml@gmail.com>
+Date: Tue, 10 May 2022 20:25:13 +0900
+Subject: Fix CVE-2022-30333
+
+Forwarded: not-needed
+---
+ ulinks.cpp |   36 +++++++++++++++++++++++++++++++-----
+ 1 file changed, 31 insertions(+), 5 deletions(-)
+
+Index: b/ulinks.cpp
+===================================================================
+--- a/ulinks.cpp
++++ b/ulinks.cpp
+@@ -45,6 +45,26 @@ static bool IsFullPath(const char *PathA
+ }
+ 
+ 
++// For security purpose we prefer to be sure that CharToWide completed
++// successfully and even if it truncated a string for some reason,
++// it didn't affect the number of path related characters we analyze
++// in IsRelativeSymlinkSafe later.
++// This check is likely to be excessive, but let's keep it anyway.
++static bool SafeCharToWide(const char *Src,wchar *Dest,size_t DestSize)
++{
++  if (!CharToWide(Src,Dest,DestSize) || *Dest==0)
++    return false;
++  uint SrcChars=0,DestChars=0;
++  for (uint I=0;Src[I]!=0;I++)
++    if (Src[I]=='/' || Src[I]=='.')
++      SrcChars++;
++  for (uint I=0;Dest[I]!=0;I++)
++    if (Dest[I]=='/' || Dest[I]=='.')
++      DestChars++;
++  return SrcChars==DestChars;
++}
++
++
+ bool ExtractUnixLink30(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName)
+ {
+   char Target[NM];
+@@ -67,12 +87,12 @@ bool ExtractUnixLink30(CommandData *Cmd,
+       return true;
+ 
+     wchar TargetW[NM];
+-    CharToWide(Target,TargetW,ASIZE(TargetW));
+-    // Check for *TargetW==0 to catch CharToWide failure.
++    if (!SafeCharToWide(Target,TargetW,ASIZE(TargetW)))
++      return false;
+     // Use Arc.FileHead.FileName instead of LinkName, since LinkName
+     // can include the destination path as a prefix, which can
+     // confuse IsRelativeSymlinkSafe algorithm.
+-    if (!Cmd->AbsoluteLinks && (*TargetW==0 || IsFullPath(TargetW) ||
++    if (!Cmd->AbsoluteLinks && (IsFullPath(TargetW) ||
+         !IsRelativeSymlinkSafe(Cmd,Arc.FileHead.FileName,LinkName,TargetW)))
+       return false;
+     return UnixSymlink(Target,LinkName,&Arc.FileHead.mtime,&Arc.FileHead.atime);
+@@ -95,11 +115,17 @@ bool ExtractUnixLink50(CommandData *Cmd,
+       return false;
+     DosSlashToUnix(Target,Target,ASIZE(Target));
+   }
++
++  wchar TargetW[NM];
++  if (!SafeCharToWide(Target,TargetW,ASIZE(TargetW)))
++    return false;
+   // Use hd->FileName instead of LinkName, since LinkName can include
+   // the destination path as a prefix, which can confuse
+   // IsRelativeSymlinkSafe algorithm.
+-  if (!Cmd->AbsoluteLinks && (IsFullPath(Target) ||
+-      !IsRelativeSymlinkSafe(Cmd,hd->FileName,Name,hd->RedirName)))
++  // 2022.05.04: Use TargetW instead of previously used hd->RedirName
++  // for security reason.
++  if (!Cmd->AbsoluteLinks && (IsFullPath(TargetW) ||
++      !IsRelativeSymlinkSafe(Cmd,hd->FileName,Name,TargetW)))
+     return false;
+   return UnixSymlink(Target,Name,&hd->mtime,&hd->atime);
+ }
diff -Nru unrar-nonfree-5.6.6/debian/patches/series unrar-nonfree-5.6.6/debian/patches/series
--- unrar-nonfree-5.6.6/debian/patches/series	2018-10-24 02:00:16.000000000 +0000
+++ unrar-nonfree-5.6.6/debian/patches/series	2022-05-10 12:00:00.000000000 +0000
@@ -1 +1,2 @@
 fix-buildflags
+CVE-2022-30333.diff