Ubuntu has issued an advisory on April 26: https://ubuntu.com/security/notices/USN-4927-1 The issue is fixed upstream in 3.38.1. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 3.38.1Whiteboard: (none) => MGA7TOO
Fedora has issued an advisory for this on April 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/
Assigning to Olav as the active maintainer of this.
Assignee: bugsquad => olav
Advisory: ======================== Updated file-roller package fixes security vulnerability: A path traversal vulnerability was found in file-roller due to an incomplete fix for CVE-2020-11736. It may still be possible to extract files outside of the intended directory in case of malicious archives containing symbolic links. The highest threat from this vulnerability is to data integrity and system availability (CVE-2020-36314). Also, the patch for CVE-2020-11736 was not applied correctly in the previous update for Mageia 7 (MGASA-2020-0218). This has been corrected. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36314 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/ https://advisories.mageia.org/MGASA-2020-0218.html ======================== Updated packages in core/updates_testing: ======================== file-roller-3.32.1-2.2.mga7 file-roller-3.38.0-1.1.mga8 from SRPMS: file-roller-3.32.1-2.2.mga7.src.rpm file-roller-3.38.0-1.1.mga8.src.rpm
Assignee: olav => qa-bugsStatus comment: Fixed upstream in 3.38.1 => (none)
PoC is here: https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
MGA7 - 64 bit $ uname -a Linux localhost 5.10.46-desktop-1.mga7 #1 SMP Thu Jun 24 14:55:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux upgrade file-roller able to extract and create archives.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => brtians1
MGA8 - 64 bit gnome upgraded file-roller Tested proof of concept file. Seems symlinks are rolled back to themselves, so not going anywhere they shouldn't from I can tell. Working as designed.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0311.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
(In reply to David Walser from comment #4) > PoC is here: > https://gitlab.gnome.org/GNOME/file-roller/-/issues/108 https://skibidi-toilet.io Proof of concept file has been tested. From what I can gather, symlinks are being rolled back to themselves and are not going anyplace they shouldn't.
CC: (none) => peanutsunless