An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction. Reference: https://bugzilla.gnome.org/show_bug.cgi?id=794337
Upstream fix: https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2 https://gitlab.gnome.org/GNOME/file-roller/commit/e8fb3e24dae711e4fb0d6777e0016cdda8787bc1
The flaw lies in the function sanitize_filename() of glib-utils.c. This function aims at sanitizing the file path of an archive entry while extracting the archive. More specifically, the function loops over the file path looking for any sequence of characters "../". If found, the code omits the entire prefix and returns the remaining part beyond the special characters. As a result, a file path such as "a/b/../x" would translate into "x", and the file "x" would be written in the current directory.
Mitigation: Avoid using file-roller (Archive Manager for GNOME) to extract untrusted archives, use the suitable command line utilities instead (such as `tar` or `unzip`).
The upstream fix modifies the behavior of sanitize_filename() by returning NULL if any sequence of "../" is found within the file path. This causes the archive entry to be skipped during the archive extraction.
There are two different paths that lead to the vulnerable function: 1) _fr_window_ask_overwrite_dialog() in fr-window.c. This function is called before extracting the archive. 2) extract_archive_thread() in fr-archive-libarchive.c. This function is responsible for the archive extraction when libarchive support is enabled. Libarchive is a C library for reading, writing and creating archives in a variety of different formats (https://github.com/libarchive/libarchive). Note that the versions of file-roller as shipped with Red Hat Enterprise Linux 7, and 8 have been built with libarchive support; conversely, the versions of file-roller as shipped with Red Hat Enterprise Linux 6 did not include support for libarchive.
All archive formats supported by libarchive (such as tar, cpio, zip, rar, etc.) may be affected by this flaw. For further information please refer to https://github.com/libarchive/libarchive/wiki/LibarchiveFormats#archive-formats-supported.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16680
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4820 https://access.redhat.com/errata/RHSA-2020:4820