1. Forum
  2. Micronet
  3. MIN COMP

  • [USN-7349-1] RAR vulnerabilities

    From Sean Rima@618:500/1.1 to All on Wed Mar 12 20:22:15 2025
    * Replying to a msg in LISTS.UBUNTU-SECURITY (LISTS.UBUNTU-SECURITY)


    Hello everybody!

    12 Mar 25 20:20, Linux Ubuntu Security List wrote to all:


    ====================================================================== ==== Ubuntu Security Notice USN-7349-1 March 12, 2025

    rar vulnerabilities ====================================================================== ====

    A security issue affects these releases of Ubuntu and its derivatives:

    - Ubuntu 22.04 LTS
    - Ubuntu 20.04 LTS

    Summary:

    Several security issues were fixed in RAR.

    Software Description:
    - rar: Archiver for .rar files

    Details:

    It was discovered that RAR incorrectly handled certain paths. If a
    user or automated system were tricked into extracting a specially
    crafted RAR archive, a remote attacker could possibly use this issue
    to write arbitrary files outside of the targeted directory. (CVE-2022-30333)

    It was discovered that RAR incorrectly handled certain recovery
    volumes. If a user or automated system were tricked into extracting a specially crafted RAR archive, a remote attacker could possibly use
    this issue to execute arbitrary code. (CVE-2023-40477)

    Update instructions:

    The problem can be corrected by updating your system to the following package versions:

    Ubuntu 22.04 LTS
    rar 2:6.23-1~22.04.1

    Ubuntu 20.04 LTS
    rar 2:6.23-1~20.04.1

    This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the
    necessary changes.

    References:
    https://ubuntu.com/security/notices/USN-7349-1
    CVE-2022-30333, CVE-2023-40477

    Package Information:
    https://launchpad.net/ubuntu/+source/rar/2:6.23-1~22.04.1
    https://launchpad.net/ubuntu/+source/rar/2:6.23-1~20.04.1

    --- BBBS/LiR v4.10 Toy-7
    * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (2:263/1)

    Sean


    ... TCOB1: https://binkd.rima.ie telnet: binkd.rima.ie
    --- GoldED+/LNX 1.1.5-b20240309
    * Origin: <-Sean's Pointless Point-> (618:500/1.1)
  • From Sean Dennis@618:618/1 to Sean Rima on Wed Mar 12 20:57:41 2025
    Hello Sean!

    12 Mar 25 20:22, you wrote to all:

    Several security issues were fixed in RAR.

    I'm a registered user of RAR but I quit using it for BBS files since it's not backwards-compatible. I was using the open-source ARJ as I find it to be more capable than RAR or ZIP, but enough perople have bitched at me about using ARJ I'm just going to use Info-Zip's ZIP. I don't really like using ZIP as it was originally based on a stolen copy of the source code to ARC.

    -- Sean

    ... Indecision is the key to flexibility.
    --- GoldED+/LNX 1.1.5-b20240209
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From Sean Rima@618:500/1.1 to Sean Dennis on Thu Mar 13 09:48:27 2025

    Hello Sean!

    12 Mar 25 20:57, you wrote to me:

    Several security issues were fixed in RAR.

    I'm a registered user of RAR but I quit using it for BBS files since
    it's not backwards-compatible. I was using the open-source ARJ as I
    find it to be more capable than RAR or ZIP, but enough perople have bitched at me about using ARJ I'm just going to use Info-Zip's ZIP. I don't really like using ZIP as it was originally based on a stolen
    copy of the source code to ARC.

    I am also a registered user, but don't use it. Not even sure if the keyfile is used under Linux. Never knew that about info-zip

    Sean


    ... TCOB1: https://binkd.rima.ie telnet: binkd.rima.ie
    --- GoldED+/LNX 1.1.5-b20240309
    * Origin: <-Sean's Pointless Point-> (618:500/1.1)
  • From digimaus@618:618/1 to Sean Rima on Thu Mar 13 20:26:46 2025
    Sean Rima wrote to Sean Dennis <=-

    I am also a registered user, but don't use it. Not even sure if the keyfile is used under Linux. Never knew that about info-zip

    Oh, it's the actual ZIP code by Phil Katz. If anything, Info-ZIP is its original code based on reverse engineering ZIP packets.

    Here's one of the videos I watched on YT that explains how ZIP came to be
    and how the BBS community embraced it based on Katz's lies: https://www.youtube.com/watch?v=lu7sY1LOWiI

    I also did some fact-checking of my own and sadly, the video seems to be
    spot on.

    -- Sean

    ... Maugham's Thought: only a mediocre person is always at his best.
    --- MultiMail/Linux
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From TheCivvie@618:500/1.1 to digimaus on Fri Mar 14 10:03:49 2025

    Hello digimaus!

    13 Mar 25 20:26, you wrote to me:

    I am also a registered user, but don't use it. Not even sure if
    the keyfile is used under Linux. Never knew that about info-zip

    Oh, it's the actual ZIP code by Phil Katz. If anything, Info-ZIP is
    its original code based on reverse engineering ZIP packets.

    Here's one of the videos I watched on YT that explains how ZIP came to
    be and how the BBS community embraced it based on Katz's lies: https://www.youtube.com/watch?v=lu7sY1LOWiI

    I also did some fact-checking of my own and sadly, the video seems to
    be spot on.

    That was very interesting. And such a sad end for Katz.

    TheCivvie


    ... TCOB1: https://binkd.rima.ie telnet: binkd.rima.ie
    --- GoldED+/LNX 1.1.5-b20240309
    * Origin: <-Sean's Pointless Point-> (618:500/1.1)