Bug 1767594 (CVE-2019-16680) - CVE-2019-16680 file-roller: path traversal vulnerability via a specially crafted filename contained in malicious archive
Summary: CVE-2019-16680 file-roller: path traversal vulnerability via a specially craf...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16680
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1785689 1785690
Blocks: 1767595
TreeView+ depends on / blocked
 
Reported: 2019-10-31 18:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 21:07 UTC (History)
10 users (show)

Fixed In Version: file-roller 3.29.91
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was discovered in the file-roller (Archive Manager for GNOME) in the way file paths with special characters are sanitized. Archives containing the sequence of characters "../" in a file path may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted archive with a file inside one or more sub-directories. When opened by a victim, the file-roller would extract the file in the current working directory instead of a sub-directory, as it may be expected by inspecting the archive.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:22:50 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4820 0 None None None 2020-11-04 04:08:25 UTC

Description Guilherme de Almeida Suckevicz 2019-10-31 18:36:57 UTC
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

Reference:
https://bugzilla.gnome.org/show_bug.cgi?id=794337

Comment 4 Mauro Matteo Cascella 2019-12-19 14:48:02 UTC
The flaw lies in the function sanitize_filename() of glib-utils.c. This function aims at sanitizing the file path of an archive entry while extracting the archive.
More specifically, the function loops over the file path looking for any sequence of characters "../". If found, the code omits the entire prefix and returns the remaining part beyond the special characters.
As a result, a file path such as "a/b/../x" would translate into "x", and the file "x" would be written in the current directory.

Comment 5 Mauro Matteo Cascella 2019-12-19 14:48:06 UTC
Mitigation:

Avoid using file-roller (Archive Manager for GNOME) to extract untrusted archives, use the suitable command line utilities instead (such as `tar` or `unzip`).

Comment 6 Mauro Matteo Cascella 2019-12-20 00:12:28 UTC
The upstream fix modifies the behavior of sanitize_filename() by returning NULL if any sequence of "../" is found within the file path. This causes the archive entry to be skipped during the archive extraction.

Comment 7 Mauro Matteo Cascella 2019-12-20 09:33:51 UTC
There are two different paths that lead to the vulnerable function:

1) _fr_window_ask_overwrite_dialog() in fr-window.c. This function is called before extracting the archive.
2) extract_archive_thread() in fr-archive-libarchive.c. This function is responsible for the archive extraction when libarchive support is enabled.

Libarchive is a C library for reading, writing and creating archives in a variety of different formats (https://github.com/libarchive/libarchive).
Note that the versions of file-roller as shipped with Red Hat Enterprise Linux 7, and 8 have been built with libarchive support; conversely, the versions of file-roller as shipped with Red Hat Enterprise Linux 6 did not include support for libarchive.

Comment 8 Mauro Matteo Cascella 2019-12-20 09:51:32 UTC
All archive formats supported by libarchive (such as tar, cpio, zip, rar, etc.) may be affected by this flaw.
For further information please refer to https://github.com/libarchive/libarchive/wiki/LibarchiveFormats#archive-formats-supported.

Comment 11 Product Security DevOps Team 2020-11-04 02:22:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16680

Comment 12 errata-xmlrpc 2020-11-04 04:08:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4820 https://access.redhat.com/errata/RHSA-2020:4820


Note You need to log in before you can comment on or make changes to this bug.