Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3817
file-roller security update
10 November 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: file-roller
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Unauthorised Access -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-36314 CVE-2020-11736
Reference: ESB-2021.1412
ESB-2020.3846
ESB-2020.2112
ESB-2020.1375.2
ESB-2020.1369
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:4179
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: file-roller security update
Advisory ID: RHSA-2021:4179-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4179
Issue date: 2021-11-09
CVE Names: CVE-2020-36314
=====================================================================
1. Summary:
An update for file-roller is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
File Roller is an application for creating and viewing archives files, such
as tar or zip files.
Security Fix(es):
* file-roller: directory traversal via directory symlink pointing outside
of the target directory (incomplete fix for CVE-2020-11736)
(CVE-2020-36314)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1947534 - CVE-2020-36314 file-roller: directory traversal via directory symlink pointing outside of the target directory (incomplete fix for CVE-2020-11736)
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
file-roller-3.28.1-4.el8.src.rpm
aarch64:
file-roller-3.28.1-4.el8.aarch64.rpm
file-roller-debuginfo-3.28.1-4.el8.aarch64.rpm
file-roller-debugsource-3.28.1-4.el8.aarch64.rpm
ppc64le:
file-roller-3.28.1-4.el8.ppc64le.rpm
file-roller-debuginfo-3.28.1-4.el8.ppc64le.rpm
file-roller-debugsource-3.28.1-4.el8.ppc64le.rpm
s390x:
file-roller-3.28.1-4.el8.s390x.rpm
file-roller-debuginfo-3.28.1-4.el8.s390x.rpm
file-roller-debugsource-3.28.1-4.el8.s390x.rpm
x86_64:
file-roller-3.28.1-4.el8.x86_64.rpm
file-roller-debuginfo-3.28.1-4.el8.x86_64.rpm
file-roller-debugsource-3.28.1-4.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-36314
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYYrcgtzjgjWX9erEAQgd4w/+PXjbDXML/3GdTrc6vx+mBL8ahxMqCFcw
fkToNdKC5KmoWD2CybGh3Wz948tiAAhFyRRIteR6pxb1vCeYt1u13DCLXRTeKAjU
jfRA/4xl0AeFHvSbDOIfiEXa2WnMewP2muNGAFcz62PJBIP7z43wtFSGruoYwOxY
7q8bwA1MkHAWsSpYmzIumnxK61SqkvwZlE7moKPbVM3+DDQ/v26wAVV2JNFuwuXj
2IkKur1UVuRuZMQGUPI76Um85KnW0JH+h1Be0EOyLfCl3pwz2v5sGaglKjdsDwC2
aVCzhLXmY0x+pr7p85YfE2pSN8l5dBviMiGLc71UdYcWrIL8Z9ZgI7p75TqoIplH
xQl6B9kQKUVcU5VWaFXdkspgsipuGzVi+SLPAMcIu1bDRxd52KlRID8edMhuNoxU
G2ofy0T1lfbRCO09ZhZoO6kVnnEFsJBfjibngvgGQbNjSlRgmLMy0pzPwOo8GxS6
yaN6uDAtBvQISQITREWio8cLzggSpHunKmwitG4i43UzKqdYeigRUguCcvp2QzvY
7ElJKjNIwvrh4BVkMVoozPpG+mHl0lPw4CIJ+a4hKL/2uCxVAcDqpFP0GcDi3Ars
car3AmvtHoDk7Nes5tDtU7EAG1MSFly+E7/7XFw1iGPHD+g/PgwueA4KGfgW+4fe
2wHka5A4HmA=
=8l/o
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYYthyeNLKJtyKPYoAQiXIQ//eFSZz1wn4SUSXQc3eARImi+STYqEiTG5
22gzBvNNo2VE3VSkhPvBI03iLSkMgnSQuEW8HvgLuogJIe8SJW75B1U4aUJhwWSB
RKM43NYyrHvsvEiwXFt82joBLW1WbQGG8uUEcOXOhjkxEUd5B6N0LiCxXjlmp+K1
Smn8VLCusXtj/n7sv8uKYribC9YWuMQ6g/vQyKDpCJQM1tRTsFWk+2nqT1peSJUc
z1+TTvlEY6twqB0vFs030DtDEA3J8BCLJT+U2jvraJAVP49+F/PaQZ0Ek9lsYB4y
9sUrXOPsCOriacKPRffgyUVSMM7GLUKrGtHC8lZUZw0Ca4i87uIKFaKvHyB8e5+0
R0lp3SuQQihMtQ5hGpBNyBXiyN7LGyZXw3Qav/FcruEIde8xfZmbNhRkiHwIKskQ
ZnorX1cVNbt9t0mGSh+6vBxR+SQvjJ4qC0cJ+Uwo09xSSpp2V+9kOJyKG0Y22oGC
iEvn/HzKFnDVrcn9Muuxal6fyXFslaFIsV2iUgePtjzy0JLcNRkRF9dtq2W+58K6
e2WJkkLdXlqIo6c2HZOg0Sollp3KodF5s+oSz85KfeeVmAQ4aGwQ/fMn/RJd6VlT
c+79xSLmvlqB15U/8j5cT0EoLnejMmxrFBC+KDWYH8SiRjJ6ZGW4ssq4uQOYnUIs
tdiF7O4IazI=
=+RxS
-----END PGP SIGNATURE-----