Bug 828328 - (CVE-2013-4668) VUL-1: CVE-2013-4668: file-roller: oCERT-2013-001: File Roller path sanitization errors
(CVE-2013-4668)
VUL-1: CVE-2013-4668: file-roller: oCERT-2013-001: File Roller path sanitizat...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-05 13:23 UTC by Marcus Meissner
Modified: 2013-10-25 18:02 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-05 13:23:20 UTC
via oCERT - distros@, not public yet, keep inside SUSE

CRD MOnday 8th 1500 UTC

http://www.ocert.org/advisories/ocert-2013-001.html

#2013-001 File Roller path sanitization errors

Description:

The File Roller archive manager for the GNOME desktop suffers from a path
traversal vulnerability caused by insufficient path sanitization.

A specially crafted archive file can be used to trigger creation of
arbitrary files in any writable location, by the user executing the
extraction, outside the current working directory. This behaviour is
triggered when the option 'Keep directory structure' is selected from the
application 'Extract' dialog.

The issue is present on File Roller installations which have been compiled
with libarchive support, used to handle tar, cpio, lha archives and ISO
images. The libarchive support is enabled by default.

Affected version:

File Roller > 3.6.0

Fixed version:

File Roller >= 3.6.4, >= 3.8.3, >= 3.9.3

Credit: vulnerability report received from Yorick Koster <yorick.koster AT
securify.nl>.

CVE: N/A

Timeline:

2013-05-16: vulnerability report received
2013-05-20: contacted File Roller maintainer
2012-05-27: maintainer provides patch for review
2012-05-28: reporter confirms patch effectiveness
2013-06-11: oCERT confirms patch effectiveness
2013-06-17: File Roller 3.9.3 released
2013-07-02: File Roller 3.6.4, 3.8.3 released

References:
http://fileroller.sourceforge.net
http://git.gnome.org/browse/file-roller

Permalink:
http://www.ocert.org/advisories/ocert-2013-001.html
Comment 1 Marcus Meissner 2013-07-05 13:24:06 UTC
Kurt wrote:

...
+commit 1e73fce51545a067767b5ba84202e73175ad0672
+Author: Paolo Bacchilega <paobac@src.gnome.org>
+Date:  2013-05-27
+
+    libarchive: sanitize filenames before extracting
+
+M      src/fr-archive-libarchive.c
+M      src/fr-window.c
+M      src/glib-utils.c
+M      src/glib-utils.h
...
Comment 2 Swamp Workflow Management 2013-07-05 22:00:36 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2013-07-08 14:15:03 UTC
is public, was posted to oss-sec
Comment 4 Marcus Meissner 2013-07-08 14:18:03 UTC
CVE-2013-4668
Comment 5 Scott Reeves 2013-07-08 22:38:03 UTC
Federico - can you take this ...
Comment 6 Federico Mena Quintero 2013-07-22 20:21:07 UTC
I'm on this.
Comment 7 Federico Mena Quintero 2013-07-24 03:13:30 UTC
Submitted to openSUSE:12.3:Update with request id 184134.
Comment 8 Federico Mena Quintero 2013-07-24 03:48:53 UTC
Reassigning to security-team.  As far as I can tell only openSUSE 12.3 is affected, and no SLE products are.
Comment 9 Bernhard Wiedemann 2013-07-24 04:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (828328) was mentioned in
https://build.opensuse.org/request/show/184134 Maintenance /
Comment 10 Swamp Workflow Management 2013-07-31 13:04:19 UTC
openSUSE-SU-2013:1281-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 828328
CVE References: CVE-2013-4668
Sources used:
openSUSE 12.3 (src):    file-roller-3.6.3-2.4.1
Comment 11 Marcus Meissner 2013-10-25 18:02:52 UTC
done