CVE-2020-36314

Name
CVE-2020-36314
Description
fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.
NVD Severity
low
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
Patch https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnome:file-roller:*:*:*:*:*:*:*:* file-roller >= None <= 3.38.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
file-roller 3.13-community 3.38.0-r1 Rasmus Thomsen <oss@cogitri.dev> fixed