Fedora has issued an advisory on June 9: https://lists.fedoraproject.org/pipermail/package-announce/2013-July/111666.html The issue is fixed in 3.8.3 and 3.6.4 upstream. The issue was caused by the addition of libarchive support in 3.5.x, so Mageia 2 (3.4.x) is not affected. We already have 3.8.3 in Cauldron, so it's already fixed there. Olav, I have added the upstream commit for 3.6.x to Mageia 3 SVN, but not pushed to the build system yet. If you would prefer to update to 3.6.4, please go ahead and push that. Reproducible: Steps to Reproduce:
I checked the diff between 3.6.3 and 3.6.4. The only other changes are translation updates and adding support for CAB files. Updating to 3.6.4. Advisory: ======================== Updated file-roller package fixes security vulnerability: Directory traversal vulnerability in File Roller 3.6.x before 3.6.4 when libarchive is used, allows remote attackers to create arbitrary files via a crafted archive that is not properly handled in a "Keep directory structure" action, related to fr-archive-libarchive.c and fr-window.c (CVE-2013-4668). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4668 https://lists.fedoraproject.org/pipermail/package-announce/2013-July/111666.html ======================== Updated packages in core/updates_testing: ======================== file-roller-3.6.4-1.mga3 from file-roller-3.6.4-1.mga3.src.rpm
CC: (none) => olavAssignee: olav => qa-bugs
No PoC or really much detail to go on to reproduce this so just testing fileroller can open various archives OK. When either current or testing version is installed or uninstalled it gives a warning. It doesn't seem to affect operation so I'll create a new bug for this. # urpmi file-roller installing file-roller-3.6.4-1.mga3.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ########################## 1/1: file-roller ########################## 1/1: removing file-roller-3.6.3-2.mga3.x86_64 ########################## warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/> # urpme file-roller removing file-roller-3.6.4-1.mga3.x86_64 removing package file-roller-3.6.4-1.mga3.x86_64 1/1: removing file-roller-3.6.4-1.mga3.x86_64 ########################## warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/> # urpmi file-roller installing file-roller-3.6.4-1.mga3.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ########################## 1/1: file-roller ########################## warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/>
Testing complete mga3 64
Whiteboard: (none) => has_procedure mga3-64-ok
Bug 10822 created for the warnings
Testing complete mga3 32. Seems to affect x86_64 only.
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok
Validating. Advisory from comment 1 uploaded. Could sysadmin please push from 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0232.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED