[ Reason ]
Fix CVE-2022-30333 and its corresponding RC bug.

[ Impact ]
CVE-2022-30333 is directory traversal vulnerability.
It write to files during an extract operation on outside of extraction
directory.

[ Tests ]
Compiled executable file passes current autopkgtest in Debian sid.

[ Risks ]
Test case of CVE-2022-30333 is not available.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Add patch to fix CVE-2022-30333.
This patch was taken from diff file between unrar 6.1.6 and 6.1.7.

[ Other info ]
Upstream developer uses both application version and source version.
Upstream says this security vulnerability is fixed in application version 6.12.
Application version 6.12's corresponding source version is 6.1.7.
CVE-2022-30333 was fixed in source version 6.1.7.

Control: tags -1 + confirmed

Please go ahead.

Regards,

Adam

...

Thanks. I was uploaded unrar-nonfree/1:6.0.3-1+deb11u1 to bullseye.

package release.debian.org
tags 1010857 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: unrar-nonfree
Version: 6.0.3-1+deb11u1

Explanation: fix directory traversal issue [CVE-2022-30333]

package release.debian.org
tags 1010857 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: unrar-nonfree
Version: 6.0.3-1+deb11u1

Explanation: fix directory traversal issue [CVE-2022-30333]

(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam