Bug 1218428 (CVE-2023-50255)

Summary: VUL-0: CVE-2023-50255: deepin-compressor: path traversal during file extraction
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Hillwood Yang <hillwoodroc>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/389416/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-12-28 08:42:18 UTC 
Deepin-Compressor is the default archive manager of Deepin Linux OS. Prior to 5.12.21, there's a path traversal vulnerability in deepin-compressor that can be exploited to achieve Remote Command Execution on the target system upon opening crafted archives. Users are advised to update to version 5.12.21 which addresses the issue. There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50255
https://github.com/linuxdeepin/deepin-compressor/commit/82f668c78c133873f5094cfab6e4eabc0b70e4b6
https://github.com/linuxdeepin/developer-center/security/advisories/GHSA-rw5r-8p9h-3gp2
Comment 1 Carlos López 2023-12-28 08:43:04 UTC 
Relevant for:
 - openSUSE:Backports:SLE-15-SP4/deepin-compressor
 - openSUSE:Backports:SLE-15-SP5/deepin-compressor
 - openSUSE:Factory/deepin-compressor
Comment 2 OBSbugzilla Bot 2023-12-28 13:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1218428) was mentioned in
https://build.opensuse.org/request/show/1135472 Backports:SLE-15-SP4 / deepin-compressor
https://build.opensuse.org/request/show/1135474 Backports:SLE-15-SP5 / deepin-compressor
https://build.opensuse.org/request/show/1135476 Factory / deepin-compressor
Comment 3 Marcus Meissner 2023-12-30 20:04:57 UTC 
openSUSE-SU-2023:0423-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1218428
CVE References: CVE-2023-50255
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    deepin-compressor-5.12.13-bp155.2.3.1
Comment 4 Marcus Meissner 2023-12-30 20:05:34 UTC 
openSUSE-SU-2023:0424-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1218428
CVE References: CVE-2023-50255
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    deepin-compressor-5.12.2-bp154.2.3.1
Comment 5 Hillwood Yang 2024-06-16 08:58:31 UTC 
Fixed