Bug 1374275 (CVE-2016-7162)
| Summary: | CVE-2016-7162 file-roller: Path traversal vulnerability when opening crafted archive | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dking, dmoppert, marinaz, mclasen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | file-roller 3.20.3, file-roller 3.21.90 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A path traversal flaw was found in file-roller. If a user were tricked into opening a specially crafted archive and clicking on a symbolic link, file deletion could occur.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-19 23:40:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1374276 | ||
| Bug Blocks: | 1374279 | ||
|
Description
Adam Mariš
2016-09-08 11:43:41 UTC
Created file-roller tracking bugs for this issue: Affects: fedora-all [bug 1374276] Since this requires clear user interaction (the link has to be clicked in file roller for deletion to occur), and results at worst in deleted files, security impact is Moderate and likely resolution for rhel is wontfix. Desktop team might be more interested in it as a usability issue. |