Bug 1767594 (CVE-2019-16680)

Summary: CVE-2019-16680 file-roller: path traversal vulnerability via a specially crafted filename contained in malicious archive
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caillon+fedoraproject, dking, gnome-sig, john.j5live, marinaz, mcascell, mclasen, rhughes, rstrode, sandmann
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: file-roller 3.29.91 Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was discovered in the file-roller (Archive Manager for GNOME) in the way file paths with special characters are sanitized. Archives containing the sequence of characters "../" in a file path may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted archive with a file inside one or more sub-directories. When opened by a victim, the file-roller would extract the file in the current working directory instead of a sub-directory, as it may be expected by inspecting the archive.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:22:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1785689, 1785690    
Bug Blocks: 1767595    

Description Guilherme de Almeida Suckevicz 2019-10-31 18:36:57 UTC 
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

Reference:
https://bugzilla.gnome.org/show_bug.cgi?id=794337
Comment 3 Mauro Matteo Cascella 2019-12-19 11:28:44 UTC 
Upstream fix:

https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2
https://gitlab.gnome.org/GNOME/file-roller/commit/e8fb3e24dae711e4fb0d6777e0016cdda8787bc1
Comment 4 Mauro Matteo Cascella 2019-12-19 14:48:02 UTC 
The flaw lies in the function sanitize_filename() of glib-utils.c. This function aims at sanitizing the file path of an archive entry while extracting the archive.
More specifically, the function loops over the file path looking for any sequence of characters "../". If found, the code omits the entire prefix and returns the remaining part beyond the special characters.
As a result, a file path such as "a/b/../x" would translate into "x", and the file "x" would be written in the current directory.
Comment 5 Mauro Matteo Cascella 2019-12-19 14:48:06 UTC 
Mitigation:

Avoid using file-roller (Archive Manager for GNOME) to extract untrusted archives, use the suitable command line utilities instead (such as `tar` or `unzip`).
Comment 6 Mauro Matteo Cascella 2019-12-20 00:12:28 UTC 
The upstream fix modifies the behavior of sanitize_filename() by returning NULL if any sequence of "../" is found within the file path. This causes the archive entry to be skipped during the archive extraction.
Comment 7 Mauro Matteo Cascella 2019-12-20 09:33:51 UTC 
There are two different paths that lead to the vulnerable function:

1) _fr_window_ask_overwrite_dialog() in fr-window.c. This function is called before extracting the archive.
2) extract_archive_thread() in fr-archive-libarchive.c. This function is responsible for the archive extraction when libarchive support is enabled.

Libarchive is a C library for reading, writing and creating archives in a variety of different formats (https://github.com/libarchive/libarchive).
Note that the versions of file-roller as shipped with Red Hat Enterprise Linux 7, and 8 have been built with libarchive support; conversely, the versions of file-roller as shipped with Red Hat Enterprise Linux 6 did not include support for libarchive.
Comment 8 Mauro Matteo Cascella 2019-12-20 09:51:32 UTC 
All archive formats supported by libarchive (such as tar, cpio, zip, rar, etc.) may be affected by this flaw.
For further information please refer to https://github.com/libarchive/libarchive/wiki/LibarchiveFormats#archive-formats-supported.
Comment 11 Product Security DevOps Team 2020-11-04 02:22:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16680
Comment 12 errata-xmlrpc 2020-11-04 04:08:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4820 https://access.redhat.com/errata/RHSA-2020:4820