Bug#1063494: marked as done (engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers)

To: Mike Gabriel <sunweaver@debian.org>
Subject: Bug#1063494: marked as done (engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 21 Feb 2024 07:51:07 +0000
Message-id: <[🔎] handler.1063494.D1063494.17085016553274204.ackdone@bugs.debian.org>
Reply-to: 1063494@bugs.debian.org
References: <E1rchKF-004Mdx-0X@fasolo.debian.org> <[🔎] 170742887277.54521.14037318172522929187.reportbug@eldamar.lan>

Your message dated Wed, 21 Feb 2024 07:47:31 +0000
with message-id <E1rchKF-004Mdx-0X@fasolo.debian.org>
and subject line Bug#1063494: fixed in engrampa 1.24.1-1+deb11u1
has caused the Debian Bug report #1063494,
regarding engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1063494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063494
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 08 Feb 2024 22:47:52 +0100
Message-id: <[🔎] 170742887277.54521.14037318172522929187.reportbug@eldamar.lan>

Source: engrampa
Version: 1.26.1-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for engrampa.

CVE-2023-52138[0]:
| Engrampa is an archive manager for the MATE environment. Engrampa is
| found to be vulnerable to a Path Traversal vulnerability that can be
| leveraged to achieve full Remote Command Execution (RCE) on the
| target. While handling CPIO archives, the Engrampa Archive manager
| follows symlink, cpio by default will follow stored symlinks while
| extracting and the Archiver will not check the symlink location,
| which leads to arbitrary file writes to unintended locations. When
| the victim extracts the archive, the attacker can craft a malicious
| cpio or ISO archive to achieve RCE on the target system. This
| vulnerability was fixed in commit 63d5dfa.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-52138
    https://www.cve.org/CVERecord?id=CVE-2023-52138
[1] https://github.com/mate-desktop/engrampa/commit/63d5dfa9005c6b16d0f0ccd888cc859fca78f970
[2] https://github.com/mate-desktop/engrampa/security/advisories/GHSA-c98h-v39w-3r7v


Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 1063494-close@bugs.debian.org
Subject: Bug#1063494: fixed in engrampa 1.24.1-1+deb11u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 21 Feb 2024 07:47:31 +0000
Message-id: <E1rchKF-004Mdx-0X@fasolo.debian.org>
Reply-to: Mike Gabriel <sunweaver@debian.org>

Source: engrampa
Source-Version: 1.24.1-1+deb11u1
Done: Mike Gabriel <sunweaver@debian.org>

We believe that the bug you reported is fixed in the latest version of
engrampa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1063494@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated engrampa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 13 Feb 2024 07:56:27 +0100
Source: engrampa
Architecture: source
Version: 1.24.1-1+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1063494
Changes:
 engrampa (1.24.1-1+deb11u1) bullseye-security; urgency=medium
 .
   * debian/patches:
     + CVE-2023-52138: Add 0006_use-unar-instead-of-cpio-for-CPIO-archives.patch.
       Use unar instead of cpio for CPIO archives. (Closes: #1063494).
Checksums-Sha1:
 e28ceedf1b299efdffc849b8db193e92663f6e1d 2369 engrampa_1.24.1-1+deb11u1.dsc
 31d17cd9ca2689b79efd611996d0a2a834bcab92 1139392 engrampa_1.24.1.orig.tar.xz
 f48527e5b78d0699bcc09184a7d3a3a405f73878 8824 engrampa_1.24.1-1+deb11u1.debian.tar.xz
 9f6fe605339bbbf27ff67b30e8e3d1bb2950d0f2 17230 engrampa_1.24.1-1+deb11u1_source.buildinfo
Checksums-Sha256:
 3ee6bd024f9b97083559777c4c4d406801df4a8d7884e01ac4d9702d7e24d42e 2369 engrampa_1.24.1-1+deb11u1.dsc
 bdb096488dab37c6faa3b9c7001d0512c62b4d05aef118356241af7bb0c30fe1 1139392 engrampa_1.24.1.orig.tar.xz
 fcfa5c35670bdaeaa147e51f834d791753f4c9ebdd569cf91243860b828b8625 8824 engrampa_1.24.1-1+deb11u1.debian.tar.xz
 04bc54b5df7a4c26a548b4c3a0e7b2495657eb6785c809152e2d1e09f744bae1 17230 engrampa_1.24.1-1+deb11u1_source.buildinfo
Files:
 fb9e4f3c7aa56e1036d0ee95db0d39ad 2369 x11 optional engrampa_1.24.1-1+deb11u1.dsc
 c73b231c9fce6b40833e2ac9811d1362 1139392 x11 optional engrampa_1.24.1.orig.tar.xz
 44e4a3b1159f9555e44afb99eb638e2b 8824 x11 optional engrampa_1.24.1-1+deb11u1.debian.tar.xz
 0d137409d59afc8f05fb9e51247aa604 17230 x11 optional engrampa_1.24.1-1+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmXLjEsVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx72sQAJHxNX6pn73B7N60Ygx0McwY1tpo
Y3ok+8BOOU/q4oZdVAAGgGv1kTAEi6tmZ+++3QaC7OJhKuyXSRIgGKL6pTy0WqE0
luTIwaYQYREzusIrzqxzSRJA3jA1AnNjQq56mNXwL5CHnVnjQhTciyLX3Bx23NkH
xqNWcbLgzu6Z/PO7CllZob41K6KcpYk+oHZcUT6EHcJhlFcGg5P4rDtrFsEXk+tr
nK/7e6KLxljrZhc5SbSsmq/qEddijaltbOPpqGF5b4OHZXmeQTe41nbc5RYbrJHj
PX78KbG20LDA73FgEhHkqNYmlx3k3YGFOlRiEoKqFK16jJT5s24wbs/aI0Lmm6+e
TDlAx+VSkihVM+xZKPFkzIHnZiSlGoTmKZjdJuQYXVxD0VmfQaS3x64ho4bAZfOP
oZ23Q4hBfFmjDA1Y427oEsS8MUJcDQwUCPPfm9r4FHGwZ1cmzruXoUbcHET6mvIE
yk5/sKiZobxbc3iwDGgo3LRatgCww4jD79A+Nkgsbuv40JPukMvc6iskWzhGetgo
2LQZh/gPXDoHfMLol3cc7/xhR//hPJbmiMSaS6pT9rU7P4QdVh1qQ0DhBIpqaJc9
c7Io1bL3IDtRfvKuffGNfq7TDkSFnAF6IvLVDo6EB11lx8Q4JtW5AOuKgUp9dmxu
DTUQMMrRPmTwWu0H
=DQES
-----END PGP SIGNATURE-----

Attachment: pgpZxKag40cYW.pgp
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#1063494: engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: engrampa_1.24.1-1+deb11u1_source.changes ACCEPTED into oldstable-proposed-updates
Next by Date: Bug#1062411: libmateweather: NMU diff for 64-bit time_t transition
Previous by thread: Bug#1063494: marked as done (engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers)
Next by thread: mate-user-admin is marked for autoremoval from testing
Index(es):
- Date
- Thread