Debian-LTS has issued an advisory on April 18:
The issue is fixed upstream in 3.36.2.
Ubuntu has issued an advisory for this today (April 20):
new version 3.36.2 is already just in Cauldron, thanks to Olav.
Assigning to Olav as the active maintainer of this SRPM.
I had rindolf/shlomif submit the package. I'll have a advisory soon.
Here is the diff for anyone who needs it: https://paste.opensuse.org/89321540
Updated the file-roller package in order to fix a security vulnerability:
fr-archive-libarchive.c: File Roller lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. Thus, directory traversal is not prevented (CVE-2020-11736).
Updated the package in core/updates_testing:
Assigning to QA. Advisory in Comment 4.
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 19312 for testing:
Created new archive, added a folder (containing sub-folders and files) to it.
Checked with dolphin - ark, all expected folders and files are there.
Extracted files and folders to new location, all OK. Good enough for me.
MGA7-64 Xfce on Virt Manager
No issues with installation.
Created and extracted archive under symlink, no directory traversal occurred.
All seems to work well
Validating. Advisory in Comment 4.
An update for this issue has been pushed to the Mageia Updates repository.