File Roller 3.5.4 through 3.20.2 was affected by a path traversal bug that could result in deleted files if a user were tricked into opening a malicious archive.
Created file-roller tracking bugs for this issue:
Affects: fedora-all [bug 1374276]
Since this requires clear user interaction (the link has to be clicked in file roller for deletion to occur), and results at worst in deleted files, security impact is Moderate and likely resolution for rhel is wontfix. Desktop team might be more interested in it as a usability issue.