This has been passed on upstream, with no responses as it should have been marked.
On 27 Dec 2016 3:21 p.m., "Moritz Mühlenhoff" <j...@inutil.org> wrote: > On Mon, Dec 29, 2014 at 10:29:28PM +0100, Jakub Wilk wrote: > > Package: rar > > Version: 2:4.2.0-1 > > Tags: security > > > > RAR follows symlinks when unpacking stuff, even the symlinks that were > > created during the same unpack process. > > It is therefore possible to create a malicious RAR archive that will be > > unpacked into arbitrary directory outside cwd. > > What't the status? This bug hasn't seen maintainer acknowledgement in > two years? > > Cheers, > Moritz >