Bug 1947534 (CVE-2020-36314) - CVE-2020-36314 file-roller: directory traversal via directory symlink pointing outside of the target directory (incomplete fix for CVE-2020-11736)
Summary: CVE-2020-36314 file-roller: directory traversal via directory symlink pointin...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-36314
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1947535 1948649
Blocks: 1947536
TreeView+ depends on / blocked
 
Reported: 2021-04-08 16:55 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-09 23:51 UTC (History)
8 users (show)

Fixed In Version: file-roller 3.39.1
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was found in file-roller due to an incomplete fix for CVE-2020-11736. It may still be possible to extract files outside of the intended directory in case of malicious archives containing symbolic links. The highest threat from this vulnerability is to data integrity and system availability.
Clone Of:
Environment:
Last Closed: 2021-11-09 23:51:02 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4179 0 None None None 2021-11-09 17:36:04 UTC

Description Guilherme de Almeida Suckevicz 2021-04-08 16:55:04 UTC
fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.

Reference:
https://gitlab.gnome.org/GNOME/file-roller/-/issues/108

Upstream patch:
https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae

Comment 1 Guilherme de Almeida Suckevicz 2021-04-08 16:55:19 UTC
Created file-roller tracking bugs for this issue:

Affects: fedora-all [bug 1947535]

Comment 4 Mauro Matteo Cascella 2021-04-20 17:55:38 UTC
The fix for CVE-2020-11736 that turned out to be incomplete was introduced in file-roller 3.36.2:
https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0

Comment 5 Mauro Matteo Cascella 2021-04-20 19:02:59 UTC
As noted upstream, vulnerable versions of file-roller didn't properly handle symbolic links during archive extraction. Specifically, the issue could occur with a crafted archive containing a symbolic link (e.g., par -> cur/..) pointing to another symbolic link (e.g., cur -> .)

The resulting path was not resolved correctly, leading to path traversal and potential file overwrite.

Comment 7 errata-xmlrpc 2021-11-09 17:36:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4179 https://access.redhat.com/errata/RHSA-2021:4179

Comment 8 Product Security DevOps Team 2021-11-09 23:51:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36314


Note You need to log in before you can comment on or make changes to this bug.