A specific flaw within the processing of recovery volumes exists in UnRAR, an unarchiver for rar files. It allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability. The target must visit a malicious page or open a malicious rar file.
For Debian 9 stretch, these problems have been fixed in version 1:5.6.6-1+deb9u2.
We recommend that you upgrade your unrar-nonfree packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.