Bug 717362 (CVE-2020-11736)

Summary:	<app-arch/file-roller-3.36.3: Directory traversal during extraction (CVE-2020-11736)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gnome
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified	Flags:	nattka: sanity-check+
Hardware:	All
OS:	Linux
URL:	https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0
See Also:	https://github.com/gentoo/gentoo/pull/18831
Whiteboard:	B3 [glsa+ cve]
Package list:	app-arch/file-roller-3.36.3	Runtime testing required:	---

Description Sam James archtester

2020-04-13 20:48:19 UTC

Description:
"fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location."

Comment 1 Sam James archtester

2020-04-13 20:49:51 UTC

@maintainer(s), please create an appropriate ebuild if possible.

Given we are at 3.32.4 in tree, it's possible the vulnerable changes slipped in between now and 3.36.1. 

This requires investigation (I will look into this, but maintainer knowledge may be needed).

Comment 2 Sam James archtester

2020-04-27 21:46:25 UTC

@maintainer(s): ping

Comment 3 Sam James archtester

2020-07-18 23:26:46 UTC

ping

Comment 4 Sam James archtester

2020-08-20 11:03:04 UTC

ping.

Comment 5 Mart Raudsepp gentoo-dev

2020-08-24 10:07:25 UTC

My guess is that older are vulnerable, as there just was no symlink checking code before. file-roller-3.36 should be small enough change over 3.34 to worry about not being in sync with gnome 3.36, so I guess lets just stable it.

Note that other libarchive consumers may be vulnerable as well - mostly I'd suggest app-arch/engrampa would be, which I believe is a MATE fork of file-roller.

Comment 6 Sam James archtester

2020-08-25 01:12:16 UTC

x86 done

Comment 7 Sam James archtester

2020-08-25 17:02:02 UTC

amd64 done

all arches done

Comment 8 Sam James archtester

2020-08-25 17:24:48 UTC

Please cleanup, thanks!

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2020-09-13 22:20:18 UTC

New GLSA request filed.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2020-09-13 23:40:38 UTC

This issue was resolved and addressed in
 GLSA 202009-06 at https://security.gentoo.org/glsa/202009-06
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2020-09-13 23:41:06 UTC

Re-opening for cleanup.

Comment 12 John Helmert III archtester

2020-10-30 02:23:16 UTC

Ping

Comment 13 John Helmert III archtester

2020-12-27 07:43:11 UTC

Ping

Comment 14 Larry the Git Cow gentoo-dev

2020-12-29 02:00:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea99ecf0a3496a2c469e9a9b049c9b6aedd724c4

commit ea99ecf0a3496a2c469e9a9b049c9b6aedd724c4
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-12-27 09:45:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-12-29 01:59:59 +0000

    app-arch/file-roller: security cleanup (drop <3.36.3)
    
    Bug: https://bugs.gentoo.org/717362
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/18831
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/file-roller/Manifest                      |  1 -
 app-arch/file-roller/file-roller-3.32.4.ebuild     | 96 ----------------------
 app-arch/file-roller/files/3.32-packages.match     | 34 --------
 .../files/file-roller-3.32.4-fno-common.patch      | 27 ------
 4 files changed, 158 deletions(-)

Comment 15 John Helmert III archtester

2020-12-29 02:10:22 UTC

Tree is clean, all done!