← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1171236] Re: file-roller may delete the content of linked folder (?)

 

This bug was fixed in the package file-roller - 3.10.2.1-0ubuntu4.2

---------------
file-roller (3.10.2.1-0ubuntu4.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Path traversal flaw allows arbitrary file deletion via
    malicious archive (LP: #1171236)
    - debian/patches/CVE-2016-7162.patch: Do not follow symlinks when deleting
      a folder recursively. Based on upstream patch.
    - CVE-2016-7162

 -- Tyler Hicks <tyhicks@xxxxxxxxxxxxx>  Thu, 08 Sep 2016 09:17:49 -0500

** Changed in: file-roller (Ubuntu Trusty)
       Status: In Progress => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7162

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1171236

Title:
  file-roller may delete the content of linked folder (?)

Status in File Roller:
  Fix Released
Status in file-roller package in Ubuntu:
  Fix Committed
Status in file-roller source package in Trusty:
  Fix Released
Status in file-roller source package in Xenial:
  In Progress

Bug description:
  (Excuse my english, I'm not a native speaker. I will try to be as
  clear as possible).

  After attempting to create an archive from folders who where actually
  just links, it seems that file-roller deleted all their content.

  Here are the steps I did :
  - Inside a folder, I had a dozen subfolders. Half of them where just links to folders placed elsewhere.
  - In Nautilus, I selected all these subfolders, choosed "compress", then choosed "zip" as the format.
  - The archive was created without any error message.

  I was expecting all the folders to be added to the archive, regardless
  of them being links or not.

  The disastrous result :
  - The archive is unusable. Attempting to expand it results in an error message (I didn't take note, but it was something generic saying the archive couldn't be expanded).
  - But more importantly, the content of the folders who where linked has disappeared. That is, the links are still here, the folders which they link to are still here, but they have been emptied.
  The files are not in the dustbin, they just disappeared.

  I noticed this right after I created the archive, I didn't touch my computer in-between.
  That's why I suspect file-roller.

  I will try to reproduce this bug in order to confirm it.
  But not before I find a way to recover my files, I lost a week of work because of this.

  Ubuntu 12.10 x64
  file-roller 3.6.1.1-0ubuntu1.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/file-roller/+bug/1171236/+subscriptions