SB2025031282 - Ubuntu update for unrar-nonfree

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2022-30333)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences when extracting files from archive. A remote attacker can create a specially crafted archive and overwrite arbitrary files on the system with privileges of the current user.

The vulnerability affects Linux and UNIX systems.

2) Improper input validation (CVE-ID: CVE-2022-48579)

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Outside In Core (unrar) component in Oracle Outside In Technology. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

3) Improper Validation of Array Index (CVE-ID: CVE-2023-40477)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper validation of array index when processing recovery volumes. A remote attacker can trick the victim to open a specially crafted archive and execute arbitrary code on the system.

4) Input validation error (CVE-ID: CVE-2024-33899)

The vulnerability allows a remote attacker to perform a denial of service or spoofing attack.

The vulnerability exists due to insufficient validation of ANSI escape sequences within the CLI interface. A remote attacker can pass specially crafted input via CLI and spoof the archive output or perform a denial of service (DoS) attack.

Note, the vulnerability affects Linux and Unix installations only.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-7350-1