Mageia alert MGASA-2021-0311 (file-roller) [LWN.net]

From:
               Mageia Updates <buildsystem-daemon@mageia.org>
To:
               updates-announce@ml.mageia.org
Subject:
               [updates-announce] MGASA-2021-0311: Updated file-roller packages fix security vulnerability
Date:
               Sun, 04 Jul 2021 04:15:03 +0200
Message-ID:
               <20210704021503.1B8F6A013F@duvel.mageia.org>
Archive-link:
               Article
MGASA-2021-0311 - Updated file-roller packages fix security vulnerability

Publication date: 04 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0311.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2020-36314

Description:
Updated file-roller package fixes security vulnerability:

A path traversal vulnerability was found in file-roller due to an
incomplete fix for CVE-2020-11736. It may still be possible to extract
files outside of the intended directory in case of malicious archives
containing symbolic links. The highest threat from this vulnerability
is to data integrity and system availability (CVE-2020-36314).

Also, the patch for CVE-2020-11736 was not applied correctly in the
previous update for Mageia 7 (MGASA-2020-0218). This has been corrected.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29006
-
https://lists.fedoraproject.org/archives/list/package-ann...
- https://advisories.mageia.org/MGASA-2020-0218.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3...

SRPMS:
- 8/core/file-roller-3.38.0-1.1.mga8
- 7/core/file-roller-3.32.1-2.2.mga7

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2021-0311: Updated file-roller packages fix security vulnerability
Date:		Sun, 04 Jul 2021 04:15:03 +0200
Message-ID:		<20210704021503.1B8F6A013F@duvel.mageia.org>
Archive-link:		Article