Bug 29006

Summary: file-roller new security issue CVE-2020-36314
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, peanutsunless, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: file-roller-3.38.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-05-29 00:55:13 CEST 
Ubuntu has issued an advisory on April 26:
https://ubuntu.com/security/notices/USN-4927-1

The issue is fixed upstream in 3.38.1.

Mageia 7 is also affected.
David Walser 2021-05-29 00:55:26 CEST

Status comment: (none) => Fixed upstream in 3.38.1
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2021-05-29 23:43:30 CEST 
Fedora has issued an advisory for this on April 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/
Comment 2 Lewis Smith 2021-06-02 21:14:08 CEST 
Assigning to Olav as the active maintainer of this.

Assignee: bugsquad => olav

Comment 3 David Walser 2021-06-28 19:18:26 CEST 
Advisory:
========================

Updated file-roller package fixes security vulnerability:

A path traversal vulnerability was found in file-roller due to an incomplete
fix for CVE-2020-11736. It may still be possible to extract files outside of
the intended directory in case of malicious archives containing symbolic links.
The highest threat from this vulnerability is to data integrity and system
availability (CVE-2020-36314).

Also, the patch for CVE-2020-11736 was not applied correctly in the previous
update for Mageia 7 (MGASA-2020-0218).  This has been corrected.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36314
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/
https://advisories.mageia.org/MGASA-2020-0218.html
========================

Updated packages in core/updates_testing:
========================
file-roller-3.32.1-2.2.mga7
file-roller-3.38.0-1.1.mga8

from SRPMS:
file-roller-3.32.1-2.2.mga7.src.rpm
file-roller-3.38.0-1.1.mga8.src.rpm

Assignee: olav => qa-bugs
Status comment: Fixed upstream in 3.38.1 => (none)

Comment 4 David Walser 2021-07-01 00:10:46 CEST 
PoC is here:
https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
Comment 5 Brian Rockwell 2021-07-02 20:47:42 CEST 
MGA7 - 64 bit

$ uname -a
Linux localhost 5.10.46-desktop-1.mga7 #1 SMP Thu Jun 24 14:55:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

upgrade file-roller

able to extract and create archives.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => brtians1

Comment 6 Brian Rockwell 2021-07-02 21:06:38 CEST 
MGA8  - 64 bit gnome

upgraded file-roller

Tested proof of concept file.  Seems symlinks are rolled back to themselves, so not going anywhere they shouldn't from I can tell.

Working as designed.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 7 Thomas Andrews 2021-07-03 01:09:57 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-07-04 02:38:26 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-07-04 04:15:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0311.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 9 Gerald Boyle 2023-10-10 09:36:54 CEST Comment hidden (spam)

CC: (none) => peanutsunless