1767594 – (CVE-2019-16680) CVE-2019-16680 file-roller: path traversal vulnerability via a specially crafted filename contained in malicious archive

Bug 1767594 (CVE-2019-16680) - CVE-2019-16680 file-roller: path traversal vulnerability via a specially crafted filename contained in malicious archive

Summary: CVE-2019-16680 file-roller: path traversal vulnerability via a specially craf...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-16680
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1785689 1785690
Blocks:	1767595
TreeView+	depends on / blocked

Reported:	2019-10-31 18:36 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-02-16 21:07 UTC (History)
CC List:	10 users (show)
Fixed In Version:	file-roller 3.29.91
Doc Type:	If docs needed, set a value
Doc Text:	A path traversal vulnerability was discovered in the file-roller (Archive Manager for GNOME) in the way file paths with special characters are sanitized. Archives containing the sequence of characters "../" in a file path may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted archive with a file inside one or more sub-directories. When opened by a victim, the file-roller would extract the file in the current working directory instead of a sub-directory, as it may be expected by inspecting the archive.
Clone Of:
Environment:
Last Closed:	2020-11-04 02:22:50 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4820	0	None	None	None	2020-11-04 04:08:25 UTC

Description Guilherme de Almeida Suckevicz 2019-10-31 18:36:57 UTC

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

Reference:
https://bugzilla.gnome.org/show_bug.cgi?id=794337

Comment 3 Mauro Matteo Cascella 2019-12-19 11:28:44 UTC

Upstream fix:

https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2
https://gitlab.gnome.org/GNOME/file-roller/commit/e8fb3e24dae711e4fb0d6777e0016cdda8787bc1

Comment 4 Mauro Matteo Cascella 2019-12-19 14:48:02 UTC

The flaw lies in the function sanitize_filename() of glib-utils.c. This function aims at sanitizing the file path of an archive entry while extracting the archive.
More specifically, the function loops over the file path looking for any sequence of characters "../". If found, the code omits the entire prefix and returns the remaining part beyond the special characters.
As a result, a file path such as "a/b/../x" would translate into "x", and the file "x" would be written in the current directory.

Comment 5 Mauro Matteo Cascella 2019-12-19 14:48:06 UTC

Mitigation:

Avoid using file-roller (Archive Manager for GNOME) to extract untrusted archives, use the suitable command line utilities instead (such as `tar` or `unzip`).

Comment 6 Mauro Matteo Cascella 2019-12-20 00:12:28 UTC

The upstream fix modifies the behavior of sanitize_filename() by returning NULL if any sequence of "../" is found within the file path. This causes the archive entry to be skipped during the archive extraction.

Comment 7 Mauro Matteo Cascella 2019-12-20 09:33:51 UTC

There are two different paths that lead to the vulnerable function:

1) _fr_window_ask_overwrite_dialog() in fr-window.c. This function is called before extracting the archive.
2) extract_archive_thread() in fr-archive-libarchive.c. This function is responsible for the archive extraction when libarchive support is enabled.

Libarchive is a C library for reading, writing and creating archives in a variety of different formats (https://github.com/libarchive/libarchive).
Note that the versions of file-roller as shipped with Red Hat Enterprise Linux 7, and 8 have been built with libarchive support; conversely, the versions of file-roller as shipped with Red Hat Enterprise Linux 6 did not include support for libarchive.

Comment 8 Mauro Matteo Cascella 2019-12-20 09:51:32 UTC

All archive formats supported by libarchive (such as tar, cpio, zip, rar, etc.) may be affected by this flaw.
For further information please refer to https://github.com/libarchive/libarchive/wiki/LibarchiveFormats#archive-formats-supported.

Comment 11 Product Security DevOps Team 2020-11-04 02:22:50 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16680

Comment 12 errata-xmlrpc 2020-11-04 04:08:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4820 https://access.redhat.com/errata/RHSA-2020:4820

Note You need to log in before you can comment on or make changes to this bug.