Bug 26502

Summary: file-roller new security issue CVE-2020-11736
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: CheeseEBoi, andrewsfarm, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: file-roller-3.32.1-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-04-20 16:38:34 CEST 
Debian-LTS has issued an advisory on April 18:
https://www.debian.org/lts/security/2020/dla-2180

The issue is fixed upstream in 3.36.2.
Comment 1 David Walser 2020-04-20 16:41:48 CEST 
Ubuntu has issued an advisory for this today (April 20):
https://usn.ubuntu.com/4332-1/

Severity: normal => major

Comment 2 Lewis Smith 2020-04-20 20:51:22 CEST 
new version 3.36.2 is already just in Cauldron, thanks to Olav.

Assigning to Olav as the active maintainer of this SRPM.

Assignee: bugsquad => olav

Elliot L 2020-05-18 19:03:53 CEST

CC: (none) => CheeseEBoi

Comment 3 Elliot L 2020-05-18 19:51:36 CEST 
I had rindolf/shlomif submit the package. I'll have a advisory soon. 

Here is the diff for anyone who needs it: https://paste.opensuse.org/89321540
Comment 4 Elliot L 2020-05-18 20:06:39 CEST 
Advisory:
========================

Updated the file-roller package in order to fix a security vulnerability:
fr-archive-libarchive.c: File Roller lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. Thus, directory traversal is not prevented (CVE-2020-11736).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11736
https://www.debian.org/lts/security/2020/dla-2180

========================

Updated the package in core/updates_testing:
========================

file-roller-3.32.1-2.1.mga7
from file-roller-3.32.1-2.1.mga7.src.rpm
Comment 5 David Walser 2020-05-18 20:10:39 CEST 
Assigning to QA.  Advisory in Comment 4.

Assignee: olav => qa-bugs

Comment 6 Herman Viaene 2020-05-19 15:02:05 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 19312 for testing:
Created new archive, added a folder (containing sub-folders and files) to it.
Checked with dolphin - ark, all expected folders and files are there.
Extracted files and folders to new location, all OK. Good enough for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 7 Elliot L 2020-05-19 21:07:25 CEST 
MGA7-64 Xfce on Virt Manager
No issues with installation.
Created and extracted archive under symlink, no directory traversal occurred.
All seems to work well
Comment 8 Thomas Andrews 2020-05-20 13:58:57 CEST 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-05-24 15:58:49 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 9 Mageia Robot 2020-05-24 20:06:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0218.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED