MGASA-2021-0311 - Updated file-roller packages fix security vulnerability

Publication date: 04 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0311.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2020-36314

Updated file-roller package fixes security vulnerability:

A path traversal vulnerability was found in file-roller due to an
incomplete fix for CVE-2020-11736. It may still be possible to extract
files outside of the intended directory in case of malicious archives
containing symbolic links. The highest threat from this vulnerability
is to data integrity and system availability (CVE-2020-36314).

Also, the patch for CVE-2020-11736 was not applied correctly in the
previous update for Mageia 7 (MGASA-2020-0218). This has been corrected.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29006
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/
- https://advisories.mageia.org/MGASA-2020-0218.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36314

SRPMS:
- 8/core/file-roller-3.38.0-1.1.mga8
- 7/core/file-roller-3.32.1-2.2.mga7