[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1063494: marked as done (engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers)

Your message dated Sun, 11 Feb 2024 11:34:19 +0000
with message-id <E1rZ86F-006EEx-0O@fasolo.debian.org>
and subject line Bug#1063494: fixed in engrampa 1.26.2-1
has caused the Debian Bug report #1063494,
regarding engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1063494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063494
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: engrampa
Version: 1.26.1-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for engrampa.

CVE-2023-52138[0]:
| Engrampa is an archive manager for the MATE environment. Engrampa is
| found to be vulnerable to a Path Traversal vulnerability that can be
| leveraged to achieve full Remote Command Execution (RCE) on the
| target. While handling CPIO archives, the Engrampa Archive manager
| follows symlink, cpio by default will follow stored symlinks while
| extracting and the Archiver will not check the symlink location,
| which leads to arbitrary file writes to unintended locations. When
| the victim extracts the archive, the attacker can craft a malicious
| cpio or ISO archive to achieve RCE on the target system. This
| vulnerability was fixed in commit 63d5dfa.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-52138
    https://www.cve.org/CVERecord?id=CVE-2023-52138
[1] https://github.com/mate-desktop/engrampa/commit/63d5dfa9005c6b16d0f0ccd888cc859fca78f970
[2] https://github.com/mate-desktop/engrampa/security/advisories/GHSA-c98h-v39w-3r7v


Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: engrampa
Source-Version: 1.26.2-1
Done: Mike Gabriel <sunweaver@debian.org>

We believe that the bug you reported is fixed in the latest version of
engrampa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1063494@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated engrampa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 11 Feb 2024 12:17:26 +0100
Source: engrampa
Architecture: source
Version: 1.26.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1063494
Changes:
 engrampa (1.26.2-1) unstable; urgency=medium
 .
   * New upstream release.
     - CVE-2023-52138: Use unar instead of cpio. (Closes: #1063494).
Checksums-Sha1:
 d12517f43affb04e50eda50309bb2ee9334da4cb 2393 engrampa_1.26.2-1.dsc
 641149b9b8eaeebd63eabb2258bbd61819884e60 1182640 engrampa_1.26.2.orig.tar.xz
 7d698799ce1e98b21c9b550c26f1bc1157869049 12412 engrampa_1.26.2-1.debian.tar.xz
 89304c4e2a6f90ee279f4c6c190832077bb78505 17253 engrampa_1.26.2-1_source.buildinfo
Checksums-Sha256:
 c210dc9d7e7f9c38537038110b78d2a1b44aa245628201433f20fcfa58170ed5 2393 engrampa_1.26.2-1.dsc
 6a3d92b784d3506326b235fa70050b47448d6e3590d49b93f5222487d63285b9 1182640 engrampa_1.26.2.orig.tar.xz
 b68819551af33ea99f7719ee72ed34b6a9cbc60f72e954596ef457cbd523ff98 12412 engrampa_1.26.2-1.debian.tar.xz
 f2047e9b8777a3bc60610e70992654965856fce17703c1c3a1cdea912c7fff0b 17253 engrampa_1.26.2-1_source.buildinfo
Files:
 942fc941bea1942a0f3b4a9003bc8e68 2393 x11 optional engrampa_1.26.2-1.dsc
 65e979666be5310985e6651562caac79 1182640 x11 optional engrampa_1.26.2.orig.tar.xz
 b7d7a623e1544d932f4b42b9192b0d63 12412 x11 optional engrampa_1.26.2-1.debian.tar.xz
 1b84aef6ffa3e5397969102e2a71ec31 17253 x11 optional engrampa_1.26.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmXIre4VHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxU28P/ik12p8m80KJ0+rrv5fLfonJ7/d4
V1jqCjJQb9kFIBdWgzRL2Th1W+nxcFqDP4WHpmq45QVexyAhrC95bweI9Av3DTDS
pCvl48pJvh8jhFbrdJTckdYKxJus/njVHm3/XM03y1J6IFZg+JRI3FSjMNQJcFOx
6NIhF/p/XeQ1WCvY+zJyxxwXzIUylKzoYOR1SDcH9yRGSjSq28iVZCvivhlNSFme
9RR3SQG+ZFlVQHSvIiY0pMmamXW8gsX/6j3xNR3IeRuUdtZT+av6qag+Rb5twB53
Lg3lP95o16pPs6SYLCgyilwUsdn9HM2Wh2PGogOJpc4nzXxc1W2OEvrx2DN2Q/GA
y4rPWAtyA7DAMhJhzpIdCts8vGoLEhqmiJzXSzI6qif08GXdoEpDRMLp8R2cc1GH
bgDD3Jd6zySZ2IUJIhRMZvKrxQYd1QAlIFr1Y4tyjf0yKrLZYdbIPv9G//XY1QoA
c4iQqgJm3tdG7WOMvftM0DUEFiBmI7VyFP+fB99a/OMHSYJ4iLv0NM64WHlTfKEU
vzw7AHSs2t12w0u20uUBA7BJRh1E47XeQ2fsEHHdKIhgQPRRU3/FJ7RGHiNcGocB
TKpW6mFkH5hlla/DmuZXh9rHQkOZ+Gg4DGE7cruUMOw4nUNuALSGulNijtpUyETn
seiKYhpfaeEG6DBE
=X62J
-----END PGP SIGNATURE-----

Attachment: pgpZkNIq5_chE.pgp
Description: PGP signature


--- End Message ---
Reply to: