Bug 29006 - file-roller new security issue CVE-2020-36314
Summary: file-roller new security issue CVE-2020-36314
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-29 00:55 CEST by David Walser
Modified: 2023-10-10 09:36 CEST (History)
4 users (show)

See Also:
Source RPM: file-roller-3.38.0-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-05-29 00:55:13 CEST
Ubuntu has issued an advisory on April 26:
https://ubuntu.com/security/notices/USN-4927-1

The issue is fixed upstream in 3.38.1.

Mageia 7 is also affected.
David Walser 2021-05-29 00:55:26 CEST

Status comment: (none) => Fixed upstream in 3.38.1
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2021-05-29 23:43:30 CEST
Fedora has issued an advisory for this on April 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/
Comment 2 Lewis Smith 2021-06-02 21:14:08 CEST
Assigning to Olav as the active maintainer of this.

Assignee: bugsquad => olav

Comment 3 David Walser 2021-06-28 19:18:26 CEST
Advisory:
========================

Updated file-roller package fixes security vulnerability:

A path traversal vulnerability was found in file-roller due to an incomplete
fix for CVE-2020-11736. It may still be possible to extract files outside of
the intended directory in case of malicious archives containing symbolic links.
The highest threat from this vulnerability is to data integrity and system
availability (CVE-2020-36314).

Also, the patch for CVE-2020-11736 was not applied correctly in the previous
update for Mageia 7 (MGASA-2020-0218).  This has been corrected.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36314
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/
https://advisories.mageia.org/MGASA-2020-0218.html
========================

Updated packages in core/updates_testing:
========================
file-roller-3.32.1-2.2.mga7
file-roller-3.38.0-1.1.mga8

from SRPMS:
file-roller-3.32.1-2.2.mga7.src.rpm
file-roller-3.38.0-1.1.mga8.src.rpm

Assignee: olav => qa-bugs
Status comment: Fixed upstream in 3.38.1 => (none)

Comment 4 David Walser 2021-07-01 00:10:46 CEST
PoC is here:
https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
Comment 5 Brian Rockwell 2021-07-02 20:47:42 CEST
MGA7 - 64 bit

$ uname -a
Linux localhost 5.10.46-desktop-1.mga7 #1 SMP Thu Jun 24 14:55:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

upgrade file-roller

able to extract and create archives.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => brtians1

Comment 6 Brian Rockwell 2021-07-02 21:06:38 CEST
MGA8  - 64 bit gnome

upgraded file-roller

Tested proof of concept file.  Seems symlinks are rolled back to themselves, so not going anywhere they shouldn't from I can tell.

Working as designed.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 7 Thomas Andrews 2021-07-03 01:09:57 CEST
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-07-04 02:38:26 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-07-04 04:15:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0311.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 9 Gerald Boyle 2023-10-10 09:36:54 CEST Comment hidden (spam)

CC: (none) => peanutsunless


Note You need to log in before you can comment on or make changes to this bug.