Ubuntu has issued an advisory on April 26:
The issue is fixed upstream in 3.38.1.
Mageia 7 is also affected.
Fixed upstream in 3.38.1Whiteboard:
Fedora has issued an advisory for this on April 24:
Assigning to Olav as the active maintainer of this.
Updated file-roller package fixes security vulnerability:
A path traversal vulnerability was found in file-roller due to an incomplete
fix for CVE-2020-11736. It may still be possible to extract files outside of
the intended directory in case of malicious archives containing symbolic links.
The highest threat from this vulnerability is to data integrity and system
Also, the patch for CVE-2020-11736 was not applied correctly in the previous
update for Mageia 7 (MGASA-2020-0218). This has been corrected.
Updated packages in core/updates_testing:
Fixed upstream in 3.38.1 =>
PoC is here:
MGA7 - 64 bit
$ uname -a
Linux localhost 5.10.46-desktop-1.mga7 #1 SMP Thu Jun 24 14:55:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
able to extract and create archives.
MGA8 - 64 bit gnome
Tested proof of concept file. Seems symlinks are rolled back to themselves, so not going anywhere they shouldn't from I can tell.
Working as designed.
MGA7TOO MGA7-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 3.
An update for this issue has been pushed to the Mageia Updates repository.
(In reply to David Walser from comment #4)
> PoC is here:
Proof of concept file has been tested. From what I can gather, symlinks are being rolled back to themselves and are not going anyplace they shouldn't.