Bug 26502 - file-roller new security issue CVE-2020-11736
Summary: file-roller new security issue CVE-2020-11736
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-04-20 16:38 CEST by David Walser
Modified: 2020-05-24 20:06 CEST (History)
5 users (show)

See Also:
Source RPM: file-roller-3.32.1-2.mga7.src.rpm
Status comment:


Description David Walser 2020-04-20 16:38:34 CEST
Debian-LTS has issued an advisory on April 18:

The issue is fixed upstream in 3.36.2.
Comment 1 David Walser 2020-04-20 16:41:48 CEST
Ubuntu has issued an advisory for this today (April 20):

Severity: normal => major

Comment 2 Lewis Smith 2020-04-20 20:51:22 CEST
new version 3.36.2 is already just in Cauldron, thanks to Olav.

Assigning to Olav as the active maintainer of this SRPM.

Assignee: bugsquad => olav

Elliot L 2020-05-18 19:03:53 CEST

CC: (none) => CheeseEBoi

Comment 3 Elliot L 2020-05-18 19:51:36 CEST
I had rindolf/shlomif submit the package. I'll have a advisory soon. 

Here is the diff for anyone who needs it: https://paste.opensuse.org/89321540
Comment 4 Elliot L 2020-05-18 20:06:39 CEST

Updated the file-roller package in order to fix a security vulnerability:
fr-archive-libarchive.c: File Roller lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. Thus, directory traversal is not prevented (CVE-2020-11736).



Updated the package in core/updates_testing:

from file-roller-3.32.1-2.1.mga7.src.rpm
Comment 5 David Walser 2020-05-18 20:10:39 CEST
Assigning to QA.  Advisory in Comment 4.

Assignee: olav => qa-bugs

Comment 6 Herman Viaene 2020-05-19 15:02:05 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 19312 for testing:
Created new archive, added a folder (containing sub-folders and files) to it.
Checked with dolphin - ark, all expected folders and files are there.
Extracted files and folders to new location, all OK. Good enough for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 7 Elliot L 2020-05-19 21:07:25 CEST
MGA7-64 Xfce on Virt Manager
No issues with installation.
Created and extracted archive under symlink, no directory traversal occurred.
All seems to work well
Comment 8 Thomas Andrews 2020-05-20 13:58:57 CEST
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-05-24 15:58:49 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 9 Mageia Robot 2020-05-24 20:06:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.