Bugzilla – Bug 828328
VUL-1: CVE-2013-4668: file-roller: oCERT-2013-001: File Roller path sanitization errors
Last modified: 2013-10-25 18:02:52 UTC
via oCERT - distros@, not public yet, keep inside SUSE
CRD MOnday 8th 1500 UTC
#2013-001 File Roller path sanitization errors
The File Roller archive manager for the GNOME desktop suffers from a path
traversal vulnerability caused by insufficient path sanitization.
A specially crafted archive file can be used to trigger creation of
arbitrary files in any writable location, by the user executing the
extraction, outside the current working directory. This behaviour is
triggered when the option 'Keep directory structure' is selected from the
application 'Extract' dialog.
The issue is present on File Roller installations which have been compiled
with libarchive support, used to handle tar, cpio, lha archives and ISO
images. The libarchive support is enabled by default.
File Roller > 3.6.0
File Roller >= 3.6.4, >= 3.8.3, >= 3.9.3
Credit: vulnerability report received from Yorick Koster <yorick.koster AT
2013-05-16: vulnerability report received
2013-05-20: contacted File Roller maintainer
2012-05-27: maintainer provides patch for review
2012-05-28: reporter confirms patch effectiveness
2013-06-11: oCERT confirms patch effectiveness
2013-06-17: File Roller 3.9.3 released
2013-07-02: File Roller 3.6.4, 3.8.3 released
+Author: Paolo Bacchilega <firstname.lastname@example.org>
+ libarchive: sanitize filenames before extracting
bugbot adjusting priority
is public, was posted to oss-sec
Federico - can you take this ...
I'm on this.
Submitted to openSUSE:12.3:Update with request id 184134.
Reassigning to security-team. As far as I can tell only openSUSE 12.3 is affected, and no SLE products are.
This is an autogenerated message for OBS integration:
This bug (828328) was mentioned in
https://build.opensuse.org/request/show/184134 Maintenance /
openSUSE-SU-2013:1281-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 828328
CVE References: CVE-2013-4668
openSUSE 12.3 (src): file-roller-3.6.3-2.4.1