|Summary:||<app-arch/file-roller-3.36.3: Directory traversal during extraction (CVE-2020-11736)|
|Product:||Gentoo Security||Reporter:||Sam James <sam>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [cleanup glsa+ cve]|
|Runtime testing required:||---|
Description Sam James 2020-04-13 20:48:19 UTC
Description: "fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location."
Comment 1 Sam James 2020-04-13 20:49:51 UTC
@maintainer(s), please create an appropriate ebuild if possible. Given we are at 3.32.4 in tree, it's possible the vulnerable changes slipped in between now and 3.36.1. This requires investigation (I will look into this, but maintainer knowledge may be needed).
Comment 2 Sam James 2020-04-27 21:46:25 UTC
Comment 3 Sam James 2020-07-18 23:26:46 UTC
Comment 4 Sam James 2020-08-20 11:03:04 UTC
Comment 5 Mart Raudsepp 2020-08-24 10:07:25 UTC
My guess is that older are vulnerable, as there just was no symlink checking code before. file-roller-3.36 should be small enough change over 3.34 to worry about not being in sync with gnome 3.36, so I guess lets just stable it. Note that other libarchive consumers may be vulnerable as well - mostly I'd suggest app-arch/engrampa would be, which I believe is a MATE fork of file-roller.
Comment 6 Sam James 2020-08-25 01:12:16 UTC
Comment 7 Sam James 2020-08-25 17:02:02 UTC
amd64 done all arches done
Comment 8 Sam James 2020-08-25 17:24:48 UTC
Please cleanup, thanks!
Comment 9 Thomas Deutschmann 2020-09-13 22:20:18 UTC
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot 2020-09-13 23:40:38 UTC
This issue was resolved and addressed in GLSA 202009-06 at https://security.gentoo.org/glsa/202009-06 by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann 2020-09-13 23:41:06 UTC
Re-opening for cleanup.
Comment 12 John Helmert III (ajak) 2020-10-30 02:23:16 UTC