Bug 997822 (CVE-2016-7162) - VUL-0: CVE-2016-7162: file-roller: File Roller path traversal
Summary: VUL-0: CVE-2016-7162: file-roller: File Roller path traversal
Status: RESOLVED FIXED
Alias: CVE-2016-7162
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/172442/
Whiteboard: CVSSv2:RedHat:CVE-2016-7162:4.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-08 07:31 UTC by Victor Pereira
Modified: 2020-05-19 19:25 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
PoC (10.00 KB, application/x-tar)
2016-09-08 07:31 UTC, Victor Pereira 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-08 07:31:33 UTC 
Created attachment 691333 [details]
PoC

CVE-2016-7162

File Roller 3.5.4 through 3.20.2 was affected by a path traversal bug
that could result in deleted files if a user were tricked into opening a
malicious archive.

3.20.3 news:
http://ftp.gnome.org/mirror/gnome.org/sources/file-roller/3.20/file-roller-3.20.3.news
3.21.90 news:
http://ftp.gnome.org/mirror/gnome.org/sources/file-roller/3.21/file-roller-3.21.90.news
Distro bug: https://launchpad.net/bugs/1171236
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=698554
Introduced by:
https://git.gnome.org/browse/file-roller/commit/?id=34b64f3a897c4b4e8e180c028f326bc921eb08ec
Fixed by:
https://git.gnome.org/browse/file-roller/commit/?id=f70be1f41688859ec8dbe266df35a1839ceb96c5

= Setup =

Create /dev/shm/will-be-emptied/important.txt which will act as an
important file that we wouldn't want to lose.

$ mkdir -p /dev/shm/will-be-emptied/
$ echo data > /dev/shm/will-be-emptied/important.txt

= Test =

1. Open the attached links.tar with File Roller

  $ file-roller links.tar

2. Double-click either of the "absolute" or "relative" files

3. Close the opened Nautilus window as well as the File Roller window

4. Check to see if /dev/shm/will-be-emptied/important.txt has been
unintentionally deleted


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7162
http://seclists.org/oss-sec/2016/q3/440
Comment 1 Bjørn Lie 2016-09-08 07:55:14 UTC 
So we are in the green with SLED SP2 and Leap 42.2 (Tw too ofc).

That means we need to backport the commit to 13.2 and 42.1.

The diff is nice and small, so I suspect it will be a clean backport.

Any volunteers?
Comment 2 Swamp Workflow Management 2016-09-08 22:00:28 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2016-09-09 00:00:21 UTC 
This is an autogenerated message for OBS integration:
This bug (997822) was mentioned in
https://build.opensuse.org/request/show/425941 13.2+42.1 / file-roller
Comment 4 Swamp Workflow Management 2016-09-19 17:11:07 UTC 
openSUSE-SU-2016:2338-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 997822
CVE References: CVE-2016-7162
Sources used:
openSUSE Leap 42.1 (src):    file-roller-3.16.5-7.2
openSUSE 13.2 (src):    file-roller-3.14.2-7.2
Comment 5 Marcus Meissner 2017-07-13 12:22:01 UTC 
fixed