Uploading a LowNMU. debdiff ist attached.
Binärdateien /tmp/odU1L5pH0r/rar-6.20~b1/amd64/default.sfx und
/tmp/eV0XXk0MmZ/rar-6.20/amd64/default.sfx sind verschieden.
Binärdateien /tmp/odU1L5pH0r/rar-6.20~b1/amd64/rar und
/tmp/eV0XXk0MmZ/rar-6.20/amd64/rar sind verschieden.
diff -Nru rar-6.20~b1/amd64/rar.txt rar-6.20/amd64/rar.txt
--- rar-6.20~b1/amd64/rar.txt 2022-10-25 16:08:58.000000000 +0200
+++ rar-6.20/amd64/rar.txt 2023-01-17 17:29:25.000000000 +0100
@@ -857,7 +857,7 @@
attributes.
In Windows it affects archive, system, hidden and read-only
- attributes. in Unix - user, group, and others file permissions.
+ attributes. in Unix - user, group, and other file permissions.
-am[s,r]
@@ -869,11 +869,14 @@
Saved metadata is displayed in header of 'l' and 'v' archive
list commands.
+ If used together with -tk or -tl switches, -ams saves
+ the archive modification time set by these switches.
+
Switch -amr renames an archive to saved name. Also it sets
the stored time as the archive creation and modification time
in Windows and as the archive modification time in Unix.
It can be used together with 'ch' command only, which ignores
- all other archive modificiation switches if -amr is specified.
+ all other archive modification switches if -amr is specified.
Switch -am without 's' and 'r' modifiers is treated as -ams.
@@ -1768,16 +1771,16 @@
symbolic links when extracting.
RAR adds all links regardless of target when archiving with
- -ol switch. When extracting, by default, RAR skips symbolic
- links pointing outside of destination directory, with absolute
- paths, excessive number of ".." in link target or with other
- potentially dangerous link parameters. You can enable extracting
- such links with -ola switch.
-
- Links pointing to directories outside of extraction destination
- directory can present a security risk. Enable their extraction
- only if you are sure that archive contents is safe,
- such as your own backup.
+ -ol switch. When extracting, to prevent placing files outside
+ of destination directory RAR can skip symbolic links with
+ absolute paths, the excessive number of ".." in link target
+ or other potentially dangerous link parameters. Also it can
+ convert some of links to directories. You can turn off these
+ security checks and extract all links as is with -ola switch.
+
+ Placing files outside of destination directory can present
+ a security risk when extracting. Use -ola switch only if you
+ are sure that archive contents is safe, such as your own backup.
Links that are considered safe by RAR are extracted always
regardless of -ol or -ola switch.
@@ -2677,7 +2680,7 @@
Copyrights
- (c) 1993-2022 Alexander Roshal
+ (c) 1993-2023 Alexander Roshal
Binärdateien /tmp/odU1L5pH0r/rar-6.20~b1/amd64/unrar und
/tmp/eV0XXk0MmZ/rar-6.20/amd64/unrar sind verschieden.
diff -Nru rar-6.20~b1/amd64/whatsnew.txt rar-6.20/amd64/whatsnew.txt
--- rar-6.20~b1/amd64/whatsnew.txt 2022-10-25 16:08:58.000000000 +0200
+++ rar-6.20/amd64/whatsnew.txt 2023-01-17 17:29:25.000000000 +0100
@@ -1,9 +1,15 @@
RAR - What's new in the latest version
- Version 6.20 beta 1
+ Version 6.20
- 1. If extraction command involves only a part of files in RAR archive,
+ 1. Fixed the security vulnerability allowing to create unpacked files
+ outside of destination directory and to copy files resided outside of
+ destination directory into the destination directory.
+
+ We are thankful to Simon Scannell from Google for reporting it.
+
+ 2. If extraction command involves only a part of files in RAR archive,
the additional archive analysis is performed when starting extraction.
It helps to properly unpack file references even if reference source
is not selected. It works for most of RAR archives except for volumes
@@ -14,7 +20,7 @@
of processing data when extracting individual files from
semi-solid archives created with -s<N> and -se switches.
- 2. Switch -ams or just -am together with archive modification commands
+ 3. Switch -ams or just -am together with archive modification commands
can be used to save the archive name and creation time.
These saved parameters are displayed in header of "l" and "v" commands
@@ -25,22 +31,22 @@
Restoring involves renaming an archive to original name and setting
the saved time as the archive modification time.
- 3. Faster RAR5 compression of poorly compressible data on modern CPUs
+ 4. Faster RAR5 compression of poorly compressible data on modern CPUs
with 8 or more execution threads. This applies to all methods
except "Fastest", which performance remains the same.
- 4. "Repair" command efficiency is improved for shuffled data blocks
+ 5. "Repair" command efficiency is improved for shuffled data blocks
in recovery record protected RAR5 archives.
- 5. If file size has grown after archiving when creating non-solid
+ 6. If file size has grown after archiving when creating non-solid
RAR volumes, such file is stored without compression regardless of
volume number, provided that file isn't split between volumes.
Previously it worked only for files in the first volume.
- 6. When archiving from stdin with -si switch, RAR displays the current
+ 7. When archiving from stdin with -si switch, RAR displays the current
amount of read bytes as the progress indicator.
- 7. If wrong password is specified when adding files to encrypted
+ 8. If wrong password is specified when adding files to encrypted
solid RAR5 archive, a password will be requested again.
Previous versions cancelled archiving in this case.
diff -Nru rar-6.20~b1/debian/changelog rar-6.20/debian/changelog
--- rar-6.20~b1/debian/changelog 2022-10-26 19:10:57.000000000 +0200
+++ rar-6.20/debian/changelog 2023-01-27 18:37:39.000000000 +0100
@@ -1,3 +1,10 @@
+rar (2:6.20-0.1) unstable; urgency=medium
+
+ * Non-maintainer upload
+ * New upstream version (Closes: #1029786)
+
+ -- Bastian Germann <b...@debian.org> Fri, 27 Jan 2023 18:37:39 +0100
+
rar (2:6.20~b1-0.1) unstable; urgency=medium
* Non-maintainer upload
diff -Nru rar-6.20~b1/debian/copyright rar-6.20/debian/copyright
--- rar-6.20~b1/debian/copyright 2022-10-26 19:10:57.000000000 +0200
+++ rar-6.20/debian/copyright 2023-01-27 18:37:39.000000000 +0100
@@ -7,13 +7,13 @@
Source: http://www.rarlab.com/download.htm
Files: *
-Copyright: Copyright (c) 1993-2022 Alexander Roshal
+Copyright: Copyright (c) 1993-2023 Alexander Roshal
Comment: This software is shareware.
License: RAR-EULA
Files: *rar
Copyright:
- Copyright (c) 1993-2022 Alexander Roshal
+ Copyright (c) 1993-2023 Alexander Roshal
Copyright (c) 2004-2006 Intel Corporation. All Rights Reserved
License: RAR-EULA and BSD-2-clause
Binärdateien /tmp/odU1L5pH0r/rar-6.20~b1/default.sfx und
/tmp/eV0XXk0MmZ/rar-6.20/default.sfx sind verschieden.
Binärdateien /tmp/odU1L5pH0r/rar-6.20~b1/rar und /tmp/eV0XXk0MmZ/rar-6.20/rar
sind verschieden.
diff -Nru rar-6.20~b1/rar.txt rar-6.20/rar.txt
--- rar-6.20~b1/rar.txt 2022-10-25 16:07:56.000000000 +0200
+++ rar-6.20/rar.txt 2023-01-17 17:28:06.000000000 +0100
@@ -857,7 +857,7 @@
attributes.
In Windows it affects archive, system, hidden and read-only
- attributes. in Unix - user, group, and others file permissions.
+ attributes. in Unix - user, group, and other file permissions.
-am[s,r]
@@ -869,11 +869,14 @@
Saved metadata is displayed in header of 'l' and 'v' archive
list commands.
+ If used together with -tk or -tl switches, -ams saves
+ the archive modification time set by these switches.
+
Switch -amr renames an archive to saved name. Also it sets
the stored time as the archive creation and modification time
in Windows and as the archive modification time in Unix.
It can be used together with 'ch' command only, which ignores
- all other archive modificiation switches if -amr is specified.
+ all other archive modification switches if -amr is specified.
Switch -am without 's' and 'r' modifiers is treated as -ams.
@@ -1768,16 +1771,16 @@
symbolic links when extracting.
RAR adds all links regardless of target when archiving with
- -ol switch. When extracting, by default, RAR skips symbolic
- links pointing outside of destination directory, with absolute
- paths, excessive number of ".." in link target or with other
- potentially dangerous link parameters. You can enable extracting
- such links with -ola switch.
-
- Links pointing to directories outside of extraction destination
- directory can present a security risk. Enable their extraction
- only if you are sure that archive contents is safe,
- such as your own backup.
+ -ol switch. When extracting, to prevent placing files outside
+ of destination directory RAR can skip symbolic links with
+ absolute paths, the excessive number of ".." in link target
+ or other potentially dangerous link parameters. Also it can
+ convert some of links to directories. You can turn off these
+ security checks and extract all links as is with -ola switch.
+
+ Placing files outside of destination directory can present
+ a security risk when extracting. Use -ola switch only if you
+ are sure that archive contents is safe, such as your own backup.
Links that are considered safe by RAR are extracted always
regardless of -ol or -ola switch.
@@ -2677,7 +2680,7 @@
Copyrights
- (c) 1993-2022 Alexander Roshal
+ (c) 1993-2023 Alexander Roshal
Binärdateien /tmp/odU1L5pH0r/rar-6.20~b1/unrar und
/tmp/eV0XXk0MmZ/rar-6.20/unrar sind verschieden.
diff -Nru rar-6.20~b1/whatsnew.txt rar-6.20/whatsnew.txt
--- rar-6.20~b1/whatsnew.txt 2022-10-25 16:07:56.000000000 +0200
+++ rar-6.20/whatsnew.txt 2023-01-17 17:28:06.000000000 +0100
@@ -1,9 +1,15 @@
RAR - What's new in the latest version
- Version 6.20 beta 1
+ Version 6.20
- 1. If extraction command involves only a part of files in RAR archive,
+ 1. Fixed the security vulnerability allowing to create unpacked files
+ outside of destination directory and to copy files resided outside of
+ destination directory into the destination directory.
+
+ We are thankful to Simon Scannell from Google for reporting it.
+
+ 2. If extraction command involves only a part of files in RAR archive,
the additional archive analysis is performed when starting extraction.
It helps to properly unpack file references even if reference source
is not selected. It works for most of RAR archives except for volumes
@@ -14,7 +20,7 @@
of processing data when extracting individual files from
semi-solid archives created with -s<N> and -se switches.
- 2. Switch -ams or just -am together with archive modification commands
+ 3. Switch -ams or just -am together with archive modification commands
can be used to save the archive name and creation time.
These saved parameters are displayed in header of "l" and "v" commands
@@ -25,22 +31,22 @@
Restoring involves renaming an archive to original name and setting
the saved time as the archive modification time.
- 3. Faster RAR5 compression of poorly compressible data on modern CPUs
+ 4. Faster RAR5 compression of poorly compressible data on modern CPUs
with 8 or more execution threads. This applies to all methods
except "Fastest", which performance remains the same.
- 4. "Repair" command efficiency is improved for shuffled data blocks
+ 5. "Repair" command efficiency is improved for shuffled data blocks
in recovery record protected RAR5 archives.
- 5. If file size has grown after archiving when creating non-solid
+ 6. If file size has grown after archiving when creating non-solid
RAR volumes, such file is stored without compression regardless of
volume number, provided that file isn't split between volumes.
Previously it worked only for files in the first volume.
- 6. When archiving from stdin with -si switch, RAR displays the current
+ 7. When archiving from stdin with -si switch, RAR displays the current
amount of read bytes as the progress indicator.
- 7. If wrong password is specified when adding files to encrypted
+ 8. If wrong password is specified when adding files to encrypted
solid RAR5 archive, a password will be requested again.
Previous versions cancelled archiving in this case.
