First published: Mon Apr 13 2020(Updated: )
fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
ubuntu/file-roller | <3.28.0-1ubuntu1.2 | 3.28.0-1ubuntu1.2 |
ubuntu/file-roller | <3.32.2-1ubuntu0.1 | 3.32.2-1ubuntu0.1 |
ubuntu/file-roller | <3.36.1-1ubuntu0.1 | 3.36.1-1ubuntu0.1 |
ubuntu/file-roller | <3.16.5-0ubuntu1.4 | 3.16.5-0ubuntu1.4 |
<=3.36.1 | ||
=8.0 | ||
=16.04 | ||
=18.04 | ||
=19.10 | ||
=20.04 | ||
GNOME file-roller | <=3.36.1 | |
Debian Debian Linux | =8.0 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.10 | |
Canonical Ubuntu Linux | =20.04 | |
redhat/file-roller | <3.36.2 | 3.36.2 |
debian/file-roller | 3.30.1-2+deb10u1 3.38.1-1 43.0-1 43.1-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11736 is a vulnerability in GNOME file-roller through version 3.36.1 that allows Directory Traversal during extraction.
The severity of CVE-2020-11736 is low, with a CVSS score of 3.9.
CVE-2020-11736 affects file-roller versions 3.28.0-1ubuntu1.2, 3.32.2-1ubuntu0.1, 3.36.1-1ubuntu0.1, 3.16.5-0ubuntu1.4, and 3.36.2, as well as other distributions and versions.
Yes, the vulnerability has been patched in file-roller version 3.36.2.
More information about CVE-2020-11736 can be found at the following references: [CVE-2020-11736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11736), [GNOME file-roller commit](https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0), [Ubuntu security advisory](https://ubuntu.com/security/notices/USN-4332-1).