1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1063494: engrampa: CVE-2023-52138: Path traversal via crafted cpio

    From Salvatore Bonaccorso@21:1/5 to All on Thu Feb 8 23:00:01 2024
    Source: engrampa
    Version: 1.26.1-4
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for engrampa.

    CVE-2023-52138[0]:
    | Engrampa is an archive manager for the MATE environment. Engrampa is
    | found to be vulnerable to a Path Traversal vulnerability that can be
    | leveraged to achieve full Remote Command Execution (RCE) on the
    | target. While handling CPIO archives, the Engrampa Archive manager
    | follows symlink, cpio by default will follow stored symlinks while
    | extracting and the Archiver will not check the symlink location,
    | which leads to arbitrary file writes to unintended locations. When
    | the victim extracts the archive, the attacker can craft a malicious
    | cpio or ISO archive to achieve RCE on the target system. This
    | vulnerability was fixed in commit 63d5dfa.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2023-52138
    https://www.cve.org/CVERecord?id=CVE-2023-52138
    [1] https://github.com/mate-desktop/engrampa/commit/63d5dfa9005c6b16d0f0ccd888cc859fca78f970
    [2] https://github.com/mate-desktop/engrampa/security/advisories/GHSA-c98h-v39w-3r7v


    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sun Feb 11 12:40:02 2024
    This is a multi-part message in MIME format...

    Your message dated Sun, 11 Feb 2024 11:34:19 +0000
    with message-id <E1rZ86F-006EEx-0O@fasolo.debian.org>
    and subject line Bug#1063494: fixed in engrampa 1.26.2-1
    has caused the Debian Bug report #1063494,
    regarding engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1063494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063494
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 8 Feb 2024 21:47:55 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
    T_SCC_BODY_TEXT_LINE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 24; hammy, 150; neutral, 70; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--X-Debbugs-Cc, 0.000-+--XDebbugsCc, 0.000-+--H*M:reportbug,
    0.000-+--H*MI:reportbug
    Return-path: <carnil@debian.org>
    Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:37710 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelo
  • From Debian Bug Tracking System@21:1/5 to All on Sun Feb 18 18:00:01 2024
    This is a multi-part message in MIME format...

    Your message dated Sun, 18 Feb 2024 16:47:10 +0000
    with message-id <E1rbkJq-008Q8c-IQ@fasolo.debian.org>
    and subject line Bug#1063494: fixed in engrampa 1.26.0-1+deb12u2
    has caused the Debian Bug report #1063494,
    regarding engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1063494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063494
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 8 Feb 2024 21:47:55 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
    T_SCC_BODY_TEXT_LINE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 24; hammy, 150; neutral, 70; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--X-Debbugs-Cc, 0.000-+--XDebbugsCc, 0.000-+--H*M:reportbug,
    0.000-+--H*MI:reportbug
    Return-path: <carnil@debian.org>
    Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:37710 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelo
  • From Debian Bug Tracking System@21:1/5 to All on Wed Feb 21 09:00:01 2024
    This is a multi-part message in MIME format...

    Your message dated Wed, 21 Feb 2024 07:47:31 +0000
    with message-id <E1rchKF-004Mdx-0X@fasolo.debian.org>
    and subject line Bug#1063494: fixed in engrampa 1.24.1-1+deb11u1
    has caused the Debian Bug report #1063494,
    regarding engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1063494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063494
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 8 Feb 2024 21:47:55 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
    T_SCC_BODY_TEXT_LINE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 24; hammy, 150; neutral, 70; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--X-Debbugs-Cc, 0.000-+--XDebbugsCc, 0.000-+--H*M:reportbug,
    0.000-+--H*MI:reportbug
    Return-path: <carnil@debian.org>
    Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:37710 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelo