Bug 1151585 (CVE-2019-16680) - VUL-1: CVE-2019-16680: file-roller: possible path traversal via filename contained in a TAR archive
Summary: VUL-1: CVE-2019-16680: file-roller: possible path traversal via filename cont...
Status: RESOLVED FIXED
Alias: CVE-2019-16680
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/243121/
Whiteboard: CVSSv3:SUSE:CVE-2019-16680:3.9:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-23 06:31 UTC by Alexander Bergmann
Modified: 2024-05-06 12:41 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-09-23 06:31:15 UTC 
CVE-2019-16680

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single
./../ path traversal via a filename contained in a TAR archive, possibly
overwriting a file during extraction.

Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=794337

Upstream fixes:
https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2
https://gitlab.gnome.org/GNOME/file-roller/commit/e8fb3e24dae711e4fb0d6777e0016cdda8787bc1

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16680
http://www.cvedetails.com/cve/CVE-2019-16680/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16680
Comment 5 Swamp Workflow Management 2020-04-23 19:39:35 UTC 
SUSE-SU-2020:1088-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1151585
CVE References: CVE-2019-16680
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    file-roller-3.20.3-15.3.25
SUSE Linux Enterprise Server 12-SP4 (src):    file-roller-3.20.3-15.3.25

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-06-08 13:26:07 UTC 
SUSE-SU-2020:1557-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1151585,1169428
CVE References: CVE-2019-16680,CVE-2020-11736
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    file-roller-3.26.2-4.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-06-17 22:16:13 UTC 
openSUSE-SU-2020:0825-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1151585,1169428
CVE References: CVE-2019-16680,CVE-2020-11736
Sources used:
openSUSE Leap 15.1 (src):    file-roller-3.26.2-lp151.4.3.1
Comment 10 Thomas Leroy 2024-05-06 12:41:48 UTC 
All done, closing.