File Roller 3.5.4 through 3.20.2 was affected by a path traversal bug that could result in deleted files if a user were tricked into opening a malicious archive. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=698554 Upstream patch: https://git.gnome.org/browse/file-roller/commit/?id=f70be1f41688859ec8dbe266df35a1839ceb96c5 CVE assignment: http://seclists.org/oss-sec/2016/q3/436
Created file-roller tracking bugs for this issue: Affects: fedora-all [bug 1374276]
Since this requires clear user interaction (the link has to be clicked in file roller for deletion to occur), and results at worst in deleted files, security impact is Moderate and likely resolution for rhel is wontfix. Desktop team might be more interested in it as a usability issue.