CVE-2020-11736

NameCVE-2020-11736
Descriptionfr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2180-1
NVD severitylow
Debian Bugs956638

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
file-roller (PTS)stretch3.22.3-1+deb9u2fixed
stretch (security)3.22.3-1+deb9u1vulnerable
buster3.30.1-2+deb10u1fixed
bullseye, sid3.36.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
file-rollersourcejessie3.14.1-1+deb8u2DLA-2180-1
file-rollersourcestretch3.22.3-1+deb9u2
file-rollersourcebuster3.30.1-2+deb10u1
file-rollersource(unstable)3.36.2-1956638

Notes

https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0

Search for package or bug name: Reporting problems