Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 476766 (CVE-2013-4668)

Summary: app-arch/file-roller: Path sanitization errors (CVE-2013-4668)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-07-13 20:59:54 UTC
From ${URL} :


The File Roller archive manager for the GNOME desktop suffers from a
path traversal vulnerability caused by insufficient path sanitization.

A specially crafted archive file can be used to trigger creation of
arbitrary files in any location, writable by the user executing the extraction,
outside the current working directory. This behaviour is triggered when the
option 'Keep directory structure' is selected from the application 'Extract'

The issue is present on File Roller installations which have been
compiled with libarchive support, used to handle tar, cpio, lha, 7zip, ar
archiving formats and ISO images. The libarchive support is enabled by

Affected version:
File Roller >= 3.6.0, >= 3.8.0, >= 3.9.1

Fixed version:
File Roller >= 3.6.4, >= 3.8.3, >= 3.9.3

Credit: vulnerability report received from Yorick Koster 
        <yorick.koster AT>

CVE: CVE-2013-4668

2013-05-16: vulnerability report received
2013-05-20: contacted File Roller maintainer
2013-05-27: maintainer provides patch for review
2013-05-28: reporter confirms patch effectiveness
2013-06-11: oCERT confirms patch effectiveness
2013-06-17: File Roller 3.9.3 released
2013-07-02: File Roller 3.6.4, 3.8.3 released
2013-07-04: contacted affected vendors
2013-07-04: assigned CVE
2013-07-08: advisory release



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-15 00:02:39 UTC
We have 3.8.3 (masked), need 3.6.4.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-15 00:52:41 UTC
3.6.4 has been bumped, and 3.8.3 was in portage already.

The vulnerability description states that only >=file-roller-3.6 was affected, which for us is ~arch only, so it would appear that there is nothing to stabilize.

The code paths for dealing with filenames were substantially rewritten between file-roller-3.4 and 3.6, and libarchive support was did not exist at all before 3.6. It is therefore difficult to check whether our stable file-roller version (2.32.2) might be affected by this or similar vulnerability. (It's possible that the report didn't mention it only because the report writer considered 2.32 to be obsolete.)

+*file-roller-3.6.4 (15 Jul 2013)
+  15 Jul 2013; Alexandre Rostovtsev <>
+  +file-roller-3.6.4.ebuild:
+  Version bump, fixes path traversal vulnerability (bug #476766, CVE-2013-4668,
+  thanks to Agostino Sarubbo).
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 03:13:41 UTC
CVE-2013-4668 (
  Directory traversal vulnerability in File Roller 3.6.x before 3.6.4, 3.8.x
  before 3.8.3, and 3.9.x before 3.9.3, when libarchive is used, allows remote
  attackers to create arbitrary files via a crafted archive that is not
  properly handled in a "Keep directory structure" action, related to
  fr-archive-libarchive.c and fr-window.c.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 03:14:21 UTC
Please remove affected versions so we can close this.
Comment 5 Pacho Ramos gentoo-dev 2013-08-27 06:24:42 UTC
+  27 Aug 2013; Pacho Ramos <> -file-roller-3.6.3.ebuild,
+  -file-roller-3.6.4.ebuild, -file-roller-3.8.2.ebuild,
+  -file-roller-3.8.3.ebuild, -files/3.1.2-packages.match:
+  Drop old
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 12:27:44 UTC
Thank you. Stable versions are unaffected, closing noglsa.