fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736. Reference: https://gitlab.gnome.org/GNOME/file-roller/-/issues/108 Upstream patch: https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae
Created file-roller tracking bugs for this issue: Affects: fedora-all [bug 1947535]
The fix for CVE-2020-11736 that turned out to be incomplete was introduced in file-roller 3.36.2: https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0
As noted upstream, vulnerable versions of file-roller didn't properly handle symbolic links during archive extraction. Specifically, the issue could occur with a crafted archive containing a symbolic link (e.g., par -> cur/..) pointing to another symbolic link (e.g., cur -> .) The resulting path was not resolved correctly, leading to path traversal and potential file overwrite.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4179 https://access.redhat.com/errata/RHSA-2021:4179
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-36314