Your message dated Sun, 11 Feb 2024 11:34:19 +0000 with message-id <E1rZ86F-006EEx-0O@fasolo.debian.org> and subject line Bug#1063494: fixed in engrampa 1.26.2-1 has caused the Debian Bug report #1063494, regarding engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1063494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063494 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 08 Feb 2024 22:47:52 +0100
- Message-id: <[🔎] 170742887277.54521.14037318172522929187.reportbug@eldamar.lan>
Source: engrampa Version: 1.26.1-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for engrampa. CVE-2023-52138[0]: | Engrampa is an archive manager for the MATE environment. Engrampa is | found to be vulnerable to a Path Traversal vulnerability that can be | leveraged to achieve full Remote Command Execution (RCE) on the | target. While handling CPIO archives, the Engrampa Archive manager | follows symlink, cpio by default will follow stored symlinks while | extracting and the Archiver will not check the symlink location, | which leads to arbitrary file writes to unintended locations. When | the victim extracts the archive, the attacker can craft a malicious | cpio or ISO archive to achieve RCE on the target system. This | vulnerability was fixed in commit 63d5dfa. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52138 https://www.cve.org/CVERecord?id=CVE-2023-52138 [1] https://github.com/mate-desktop/engrampa/commit/63d5dfa9005c6b16d0f0ccd888cc859fca78f970 [2] https://github.com/mate-desktop/engrampa/security/advisories/GHSA-c98h-v39w-3r7v Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 1063494-close@bugs.debian.org
- Subject: Bug#1063494: fixed in engrampa 1.26.2-1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sun, 11 Feb 2024 11:34:19 +0000
- Message-id: <E1rZ86F-006EEx-0O@fasolo.debian.org>
- Reply-to: Mike Gabriel <sunweaver@debian.org>
Source: engrampa Source-Version: 1.26.2-1 Done: Mike Gabriel <sunweaver@debian.org> We believe that the bug you reported is fixed in the latest version of engrampa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1063494@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunweaver@debian.org> (supplier of updated engrampa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 11 Feb 2024 12:17:26 +0100 Source: engrampa Architecture: source Version: 1.26.2-1 Distribution: unstable Urgency: medium Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org> Changed-By: Mike Gabriel <sunweaver@debian.org> Closes: 1063494 Changes: engrampa (1.26.2-1) unstable; urgency=medium . * New upstream release. - CVE-2023-52138: Use unar instead of cpio. (Closes: #1063494). Checksums-Sha1: d12517f43affb04e50eda50309bb2ee9334da4cb 2393 engrampa_1.26.2-1.dsc 641149b9b8eaeebd63eabb2258bbd61819884e60 1182640 engrampa_1.26.2.orig.tar.xz 7d698799ce1e98b21c9b550c26f1bc1157869049 12412 engrampa_1.26.2-1.debian.tar.xz 89304c4e2a6f90ee279f4c6c190832077bb78505 17253 engrampa_1.26.2-1_source.buildinfo Checksums-Sha256: c210dc9d7e7f9c38537038110b78d2a1b44aa245628201433f20fcfa58170ed5 2393 engrampa_1.26.2-1.dsc 6a3d92b784d3506326b235fa70050b47448d6e3590d49b93f5222487d63285b9 1182640 engrampa_1.26.2.orig.tar.xz b68819551af33ea99f7719ee72ed34b6a9cbc60f72e954596ef457cbd523ff98 12412 engrampa_1.26.2-1.debian.tar.xz f2047e9b8777a3bc60610e70992654965856fce17703c1c3a1cdea912c7fff0b 17253 engrampa_1.26.2-1_source.buildinfo Files: 942fc941bea1942a0f3b4a9003bc8e68 2393 x11 optional engrampa_1.26.2-1.dsc 65e979666be5310985e6651562caac79 1182640 x11 optional engrampa_1.26.2.orig.tar.xz b7d7a623e1544d932f4b42b9192b0d63 12412 x11 optional engrampa_1.26.2-1.debian.tar.xz 1b84aef6ffa3e5397969102e2a71ec31 17253 x11 optional engrampa_1.26.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmXIre4VHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxU28P/ik12p8m80KJ0+rrv5fLfonJ7/d4 V1jqCjJQb9kFIBdWgzRL2Th1W+nxcFqDP4WHpmq45QVexyAhrC95bweI9Av3DTDS pCvl48pJvh8jhFbrdJTckdYKxJus/njVHm3/XM03y1J6IFZg+JRI3FSjMNQJcFOx 6NIhF/p/XeQ1WCvY+zJyxxwXzIUylKzoYOR1SDcH9yRGSjSq28iVZCvivhlNSFme 9RR3SQG+ZFlVQHSvIiY0pMmamXW8gsX/6j3xNR3IeRuUdtZT+av6qag+Rb5twB53 Lg3lP95o16pPs6SYLCgyilwUsdn9HM2Wh2PGogOJpc4nzXxc1W2OEvrx2DN2Q/GA y4rPWAtyA7DAMhJhzpIdCts8vGoLEhqmiJzXSzI6qif08GXdoEpDRMLp8R2cc1GH bgDD3Jd6zySZ2IUJIhRMZvKrxQYd1QAlIFr1Y4tyjf0yKrLZYdbIPv9G//XY1QoA c4iQqgJm3tdG7WOMvftM0DUEFiBmI7VyFP+fB99a/OMHSYJ4iLv0NM64WHlTfKEU vzw7AHSs2t12w0u20uUBA7BJRh1E47XeQ2fsEHHdKIhgQPRRU3/FJ7RGHiNcGocB TKpW6mFkH5hlla/DmuZXh9rHQkOZ+Gg4DGE7cruUMOw4nUNuALSGulNijtpUyETn seiKYhpfaeEG6DBE =X62J -----END PGP SIGNATURE-----Attachment: pgpZkNIq5_chE.pgp
Description: PGP signature
--- End Message ---