Bug 1947534 (CVE-2020-36314)

Summary: CVE-2020-36314 file-roller: directory traversal via directory symlink pointing outside of the target directory (incomplete fix for CVE-2020-11736)
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: caillon+fedoraproject, dking, gnome-sig, marinaz, mclasen, rhughes, rstrode, sandmann
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: file-roller 3.39.1 Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was found in file-roller due to an incomplete fix for CVE-2020-11736. It may still be possible to extract files outside of the intended directory in case of malicious archives containing symbolic links. The highest threat from this vulnerability is to data integrity and system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 23:51:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1947535, 1948649    
Bug Blocks: 1947536    

Description Guilherme de Almeida Suckevicz 2021-04-08 16:55:04 UTC 
fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.

Reference:
https://gitlab.gnome.org/GNOME/file-roller/-/issues/108

Upstream patch:
https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae
Comment 1 Guilherme de Almeida Suckevicz 2021-04-08 16:55:19 UTC 
Created file-roller tracking bugs for this issue:

Affects: fedora-all [bug 1947535]
Comment 4 Mauro Matteo Cascella 2021-04-20 17:55:38 UTC 
The fix for CVE-2020-11736 that turned out to be incomplete was introduced in file-roller 3.36.2:
https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0
Comment 5 Mauro Matteo Cascella 2021-04-20 19:02:59 UTC 
As noted upstream, vulnerable versions of file-roller didn't properly handle symbolic links during archive extraction. Specifically, the issue could occur with a crafted archive containing a symbolic link (e.g., par -> cur/..) pointing to another symbolic link (e.g., cur -> .)

The resulting path was not resolved correctly, leading to path traversal and potential file overwrite.
Comment 7 errata-xmlrpc 2021-11-09 17:36:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4179 https://access.redhat.com/errata/RHSA-2021:4179
Comment 8 Product Security DevOps Team 2021-11-09 23:51:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36314