Debian-LTS has issued an advisory on April 18: https://www.debian.org/lts/security/2020/dla-2180 The issue is fixed upstream in 3.36.2.
Ubuntu has issued an advisory for this today (April 20): https://usn.ubuntu.com/4332-1/
Severity: normal => major
new version 3.36.2 is already just in Cauldron, thanks to Olav. Assigning to Olav as the active maintainer of this SRPM.
Assignee: bugsquad => olav
CC: (none) => CheeseEBoi
I had rindolf/shlomif submit the package. I'll have a advisory soon. Here is the diff for anyone who needs it: https://paste.opensuse.org/89321540
Advisory: ======================== Updated the file-roller package in order to fix a security vulnerability: fr-archive-libarchive.c: File Roller lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. Thus, directory traversal is not prevented (CVE-2020-11736). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11736 https://www.debian.org/lts/security/2020/dla-2180 ======================== Updated the package in core/updates_testing: ======================== file-roller-3.32.1-2.1.mga7 from file-roller-3.32.1-2.1.mga7.src.rpm
Assigning to QA. Advisory in Comment 4.
Assignee: olav => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 19312 for testing: Created new archive, added a folder (containing sub-folders and files) to it. Checked with dolphin - ark, all expected folders and files are there. Extracted files and folders to new location, all OK. Good enough for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
MGA7-64 Xfce on Virt Manager No issues with installation. Created and extracted archive under symlink, no directory traversal occurred. All seems to work well
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0218.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED