Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717362 (CVE-2020-11736) - <app-arch/file-roller-3.36.3: Directory traversal during extraction (CVE-2020-11736)
Summary: <app-arch/file-roller-3.36.3: Directory traversal during extraction (CVE-2020...
Alias: CVE-2020-11736
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve]
Keywords: PullRequest
Depends on:
Reported: 2020-04-13 20:48 UTC by Sam James
Modified: 2020-12-29 02:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-13 20:48:19 UTC
"fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location."
Comment 1 Sam James archtester gentoo-dev Security 2020-04-13 20:49:51 UTC
@maintainer(s), please create an appropriate ebuild if possible.

Given we are at 3.32.4 in tree, it's possible the vulnerable changes slipped in between now and 3.36.1. 

This requires investigation (I will look into this, but maintainer knowledge may be needed).
Comment 2 Sam James archtester gentoo-dev Security 2020-04-27 21:46:25 UTC
@maintainer(s): ping
Comment 3 Sam James archtester gentoo-dev Security 2020-07-18 23:26:46 UTC
Comment 4 Sam James archtester gentoo-dev Security 2020-08-20 11:03:04 UTC
Comment 5 Mart Raudsepp gentoo-dev 2020-08-24 10:07:25 UTC
My guess is that older are vulnerable, as there just was no symlink checking code before. file-roller-3.36 should be small enough change over 3.34 to worry about not being in sync with gnome 3.36, so I guess lets just stable it.

Note that other libarchive consumers may be vulnerable as well - mostly I'd suggest app-arch/engrampa would be, which I believe is a MATE fork of file-roller.
Comment 6 Sam James archtester gentoo-dev Security 2020-08-25 01:12:16 UTC
x86 done
Comment 7 Sam James archtester gentoo-dev Security 2020-08-25 17:02:02 UTC
amd64 done

all arches done
Comment 8 Sam James archtester gentoo-dev Security 2020-08-25 17:24:48 UTC
Please cleanup, thanks!
Comment 9 Thomas Deutschmann gentoo-dev Security 2020-09-13 22:20:18 UTC
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-09-13 23:40:38 UTC
This issue was resolved and addressed in
 GLSA 202009-06 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-09-13 23:41:06 UTC
Re-opening for cleanup.
Comment 12 John Helmert III (ajak) 2020-10-30 02:23:16 UTC
Comment 13 John Helmert III (ajak) 2020-12-27 07:43:11 UTC
Comment 14 Larry the Git Cow gentoo-dev 2020-12-29 02:00:18 UTC
The bug has been referenced in the following commit(s):

commit ea99ecf0a3496a2c469e9a9b049c9b6aedd724c4
Author:     John Helmert III <>
AuthorDate: 2020-12-27 09:45:02 +0000
Commit:     Sam James <>
CommitDate: 2020-12-29 01:59:59 +0000

    app-arch/file-roller: security cleanup (drop <3.36.3)
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <>
    Signed-off-by: Sam James <>

 app-arch/file-roller/Manifest                      |  1 -
 app-arch/file-roller/file-roller-3.32.4.ebuild     | 96 ----------------------
 app-arch/file-roller/files/3.32-packages.match     | 34 --------
 .../files/file-roller-3.32.4-fno-common.patch      | 27 ------
 4 files changed, 158 deletions(-)
Comment 15 John Helmert III (ajak) 2020-12-29 02:10:22 UTC
Tree is clean, all done!