Bug 1824985 (CVE-2020-11736)

Summary: CVE-2020-11736 file-roller: directory traversal via directory symlink pointing outside of the target directory
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: caillon+fedoraproject, dking, gnome-sig, john.j5live, marinaz, mclasen, rhughes, rstrode, sandmann
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: file-roller 3.36.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:25:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1824990, 1827394, 1827395    
Bug Blocks: 1824992    

Description Guilherme de Almeida Suckevicz 2020-04-16 19:24:27 UTC
fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

Reference and upstream commit:

Comment 1 Guilherme de Almeida Suckevicz 2020-04-16 19:34:07 UTC
Created file-roller tracking bugs for this issue:

Affects: fedora-all [bug 1824990]

Comment 2 Guilherme de Almeida Suckevicz 2020-04-16 19:34:10 UTC
Created file-roller tracking bugs for this issue:

Affects: fedora-all [bug 1824990]

Comment 4 Marco Benatto 2020-04-23 20:25:43 UTC
There's an issue with file-roller, during archive extraction the function extract_archive_thread() doesn't check whether a existing symlink expands to outside extracting path. This weakness can be leveraged by an attacker crafting a malicious archive file containing a determined symbolic link structure, allowing files outside the extraction directory to be overwritten. A well succeeded attack depends on User Interaction by opening and extracting the malicious archive file. The attack has a Low Integrity impact as file creation and overwritten is restricted only to the paths user has permissions to write. It may be a Low Availability impact depending on which files are overwritten.

Comment 5 Product Security DevOps Team 2020-11-04 02:25:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 6 errata-xmlrpc 2020-11-04 04:08:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4820 https://access.redhat.com/errata/RHSA-2020:4820