CVE-2020-36314

EUVD-2020-23856
fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.9 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
gnomefile-roller
𝑥
≤ 3.38.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
file-roller
bookworm
43.0-1
fixed
bullseye
3.38.1-1
fixed
buster
no-dsa
sid
44.3-1
fixed
stretch
postponed
trixie
44.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
file-roller
bionic
Fixed 3.28.0-1ubuntu1.3
released
focal
Fixed 3.36.3-0ubuntu1.1
released
groovy
Fixed 3.38.0-1ubuntu0.1
released
hirsute
Fixed 3.38.1-1
released
trusty
dne
xenial
Fixed 3.16.5-0ubuntu1.5
released
Common Weakness Enumeration
References
https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae
https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/
https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae
https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/