A CVE has been assigned to an issue fixed in file-roller 3.20.3: http://www.openwall.com/lists/oss-security/2016/09/08/4 The commit to fix the issue is linked in the message above.
Ubuntu has issued an advisory for this on September 8: http://www.ubuntu.com/usn/usn-3074-1/ Patched package uploaded for Mageia 5: Advisory: ======================== Updated file-roller package fixes security vulnerability: It was discovered that File Roller incorrectly handled symlinks. If a user were tricked into extracting a specially-crafted archive, an attacker could delete files outside of the extraction directory (CVE-2016-7162). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7162 http://www.ubuntu.com/usn/usn-3074-1/ ======================== Updated packages in core/updates_testing: ======================== file-roller-3.14.2-1.1.mga5 from file-roller-3.14.2-1.1.mga5.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/700116/Assignee: olav => qa-bugsSeverity: normal => major
[root@localhost chris]# urpmi file-roller Package file-roller-3.14.2-1.1.mga5.x86_64 is already installed [root@localhost chris]# [root@localhost chris]# urpmi file-roller Package file-roller-3.14.2-1.1.mga5.i586 is already installed [root@localhost chris]# Installed without issues in both 32 and 64 bit on M5. Basic testing on both systems: created an archive, added files, in a file manager (thunar) via context menu extracted the archive. Works. I don't know if it's up to me to mark it ok, and if yes, how I'd do that. Sorry, new to the QA-team.
CC: (none) => shybluenight
On both arch, following the correct testing procedure, first installing file-roller-3.14.2-1.mga5, then updating to file-roller-3.14.2-1.1.mga5 (from update_testing). [root@localhost chris]# urpmi file-roller $MIRRORLIST: media/core/updates_testing/file-roller-3.14.2-1.1.mga5.x86_64.rpm installing file-roller-3.14.2-1.1.mga5.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/1: file-roller ############################################# 1/1: removing file-roller-3.14.2-1.mga5.x86_64 ############################################# [root@localhost chris]# No issues.
Whiteboard: (none) => MGA5-32-OK MGA5-64-OK
Thanks Chris for a great job speedily done. Update validated, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0313.html
Status: NEW => RESOLVEDResolution: (none) => FIXED