From ${URL} : Description: The File Roller archive manager for the GNOME desktop suffers from a path traversal vulnerability caused by insufficient path sanitization. A specially crafted archive file can be used to trigger creation of arbitrary files in any location, writable by the user executing the extraction, outside the current working directory. This behaviour is triggered when the option 'Keep directory structure' is selected from the application 'Extract' dialog. The issue is present on File Roller installations which have been compiled with libarchive support, used to handle tar, cpio, lha, 7zip, ar archiving formats and ISO images. The libarchive support is enabled by default. Affected version: File Roller >= 3.6.0, >= 3.8.0, >= 3.9.1 Fixed version: File Roller >= 3.6.4, >= 3.8.3, >= 3.9.3 Credit: vulnerability report received from Yorick Koster <yorick.koster AT securify.nl> CVE: CVE-2013-4668 Timeline: 2013-05-16: vulnerability report received 2013-05-20: contacted File Roller maintainer 2013-05-27: maintainer provides patch for review 2013-05-28: reporter confirms patch effectiveness 2013-06-11: oCERT confirms patch effectiveness 2013-06-17: File Roller 3.9.3 released 2013-07-02: File Roller 3.6.4, 3.8.3 released 2013-07-04: contacted affected vendors 2013-07-04: assigned CVE 2013-07-08: advisory release References: http://fileroller.sourceforge.net http://git.gnome.org/browse/file-roller https://git.gnome.org/browse/file-roller/commit/?id=b147281293a8307808475e102a14857055f81631 Permalink: http://www.ocert.org/advisories/ocert-2013-001.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
We have 3.8.3 (masked), need 3.6.4.
3.6.4 has been bumped, and 3.8.3 was in portage already. The vulnerability description states that only >=file-roller-3.6 was affected, which for us is ~arch only, so it would appear that there is nothing to stabilize. The code paths for dealing with filenames were substantially rewritten between file-roller-3.4 and 3.6, and libarchive support was did not exist at all before 3.6. It is therefore difficult to check whether our stable file-roller version (2.32.2) might be affected by this or similar vulnerability. (It's possible that the report didn't mention it only because the report writer considered 2.32 to be obsolete.) +*file-roller-3.6.4 (15 Jul 2013) + + 15 Jul 2013; Alexandre Rostovtsev <tetromino@gentoo.org> + +file-roller-3.6.4.ebuild: + Version bump, fixes path traversal vulnerability (bug #476766, CVE-2013-4668, + thanks to Agostino Sarubbo).
CVE-2013-4668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4668): Directory traversal vulnerability in File Roller 3.6.x before 3.6.4, 3.8.x before 3.8.3, and 3.9.x before 3.9.3, when libarchive is used, allows remote attackers to create arbitrary files via a crafted archive that is not properly handled in a "Keep directory structure" action, related to fr-archive-libarchive.c and fr-window.c.
Please remove affected versions so we can close this.
+ 27 Aug 2013; Pacho Ramos <pacho@gentoo.org> -file-roller-3.6.3.ebuild, + -file-roller-3.6.4.ebuild, -file-roller-3.8.2.ebuild, + -file-roller-3.8.3.ebuild, -files/3.1.2-packages.match: + Drop old +
Thank you. Stable versions are unaffected, closing noglsa.
