Bug#1063494: marked as done (engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers)

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Subject: Bug#1063494: marked as done (engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 18 Feb 2024 16:51:04 +0000
Message-id: <[🔎] handler.1063494.D1063494.17082748321422268.ackdone@bugs.debian.org>
Reply-to: 1063494@bugs.debian.org
References: <E1rbkJq-008Q8c-IQ@fasolo.debian.org> <[🔎] 170742887277.54521.14037318172522929187.reportbug@eldamar.lan>

Your message dated Sun, 18 Feb 2024 16:47:10 +0000
with message-id <E1rbkJq-008Q8c-IQ@fasolo.debian.org>
and subject line Bug#1063494: fixed in engrampa 1.26.0-1+deb12u2
has caused the Debian Bug report #1063494,
regarding engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1063494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063494
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 08 Feb 2024 22:47:52 +0100
Message-id: <[🔎] 170742887277.54521.14037318172522929187.reportbug@eldamar.lan>

Source: engrampa
Version: 1.26.1-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for engrampa.

CVE-2023-52138[0]:
| Engrampa is an archive manager for the MATE environment. Engrampa is
| found to be vulnerable to a Path Traversal vulnerability that can be
| leveraged to achieve full Remote Command Execution (RCE) on the
| target. While handling CPIO archives, the Engrampa Archive manager
| follows symlink, cpio by default will follow stored symlinks while
| extracting and the Archiver will not check the symlink location,
| which leads to arbitrary file writes to unintended locations. When
| the victim extracts the archive, the attacker can craft a malicious
| cpio or ISO archive to achieve RCE on the target system. This
| vulnerability was fixed in commit 63d5dfa.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-52138
    https://www.cve.org/CVERecord?id=CVE-2023-52138
[1] https://github.com/mate-desktop/engrampa/commit/63d5dfa9005c6b16d0f0ccd888cc859fca78f970
[2] https://github.com/mate-desktop/engrampa/security/advisories/GHSA-c98h-v39w-3r7v


Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 1063494-close@bugs.debian.org
Subject: Bug#1063494: fixed in engrampa 1.26.0-1+deb12u2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 18 Feb 2024 16:47:10 +0000
Message-id: <E1rbkJq-008Q8c-IQ@fasolo.debian.org>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Source: engrampa
Source-Version: 1.26.0-1+deb12u2
Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

We believe that the bug you reported is fixed in the latest version of
engrampa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1063494@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <mike.gabriel@das-netzwerkteam.de> (supplier of updated engrampa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 13 Feb 2024 07:44:28 +0100
Source: engrampa
Architecture: source
Version: 1.26.0-1+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Changed-By: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Closes: 1063494
Changes:
 engrampa (1.26.0-1+deb12u2) bookworm-security; urgency=medium
 .
   * debian/patches:
     + CVE-2023-52138: Add 0006_use-unar-instead-of-cpio-for-CPIO-archives.patch.
       Use unar instead of cpio for CPIO archives. (Closes: #1063494).
Checksums-Sha1:
 c61dede8047e69b16112cfdfdf1a45f857bdbdbb 2441 engrampa_1.26.0-1+deb12u2.dsc
 ddc20fe8eb062e1211a682a0006c67aa83f4374e 1161724 engrampa_1.26.0.orig.tar.xz
 2288040437dd90a01fc3abcbc4b64386c758ba68 12508 engrampa_1.26.0-1+deb12u2.debian.tar.xz
 b15ce38aa621a8a248c829060882cfbd9df41ec0 17301 engrampa_1.26.0-1+deb12u2_source.buildinfo
Checksums-Sha256:
 b4921a326fe3eeefc83fab04059682fab726fb544ff7399eb4c8c23435eceb6a 2441 engrampa_1.26.0-1+deb12u2.dsc
 d376a93a37dfc949c13a426e099b5646b28f1236edff287b3a8e866aaa85a093 1161724 engrampa_1.26.0.orig.tar.xz
 a1f07f7111df48cc18ebe6357e44565e7ef4ec5f1c91d413009487ef9df0785a 12508 engrampa_1.26.0-1+deb12u2.debian.tar.xz
 5c10fe51c1ac9cfce1e435f346132a99574bf688a92ed7aa6166c0d58eaec8c5 17301 engrampa_1.26.0-1+deb12u2_source.buildinfo
Files:
 cf271a2d1d794313df0a5810086389b3 2441 x11 optional engrampa_1.26.0-1+deb12u2.dsc
 f4718720cd901cf82f2136da6c29a5e2 1161724 x11 optional engrampa_1.26.0.orig.tar.xz
 0c165ba2b9fa2c7308cf4b4f9d3b2b07 12508 x11 optional engrampa_1.26.0-1+deb12u2.debian.tar.xz
 77eb852c7dd5ca7e9c85bfd7fdc611bd 17301 x11 optional engrampa_1.26.0-1+deb12u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJVBAEBCAA/FiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmXLjBghHG1pa2UuZ2Fi
cmllbEBkYXMtbmV0endlcmt0ZWFtLmRlAAoJEJr0azAldxsxYCcQAIiDp3p+NJoX
Xpg0bUD+wgY9Abg02kJ48ZTAQ0Bj+pKXyHw5XbNwRuUxx1EDYD83TCz1Uh7DllBB
RFNnMucnojp9d9CvCaOFNyfGcjce25eJkigEplcWi1GXmOJUIlfY8+JLUikgbWKS
dhcV/JGxHn62CMzrclsKseT2uqyeqIVGVX1OLGSABNiR3cr3OIz3aujHiLBCcld6
D8qdaoJya44U8iDuO/IKY8YYnBhWqc9P+fkeG/UFHPc3UKeeOQ/joUheaMx0HY1s
B+Z+NeZe8VKy1HwYYMKdbJUdiKvtF7UeQqM7rzyGKN+RDkNmW8lW/ZwvK2ZBT47z
2YXyz7Pi/GWcA101ycr4w83FFVl2nVXydD8n/VtXeYrxsgaWDgEddazz6+tF42Vb
viwTlplbqDB5uv3iG1Gtcl4sIT7hhzaIV2XAl1kuHqFCr1H45QBtOkTwLfZ64sof
0LedZiEYCqMwqWtIMHJqJ3IPp46tEBHZ5/U1fYe66fc1cKYU0JwfQ3yGuAnq4qPd
U5yz3og5EhWp2OdEqE42KEQgdJHXhpEYEz/dHrOQkJ5+4ykQu/5WXmZvePORUi98
4NM7kRH8LppXJJV+8RNhOyys1k9F9JRYaQzJCdD+MGScTEdMX6ntzz0ffNtCyecz
hh9+YFuLid/7j/cSJOuW7N2HMKovDTkq
=cIni
-----END PGP SIGNATURE-----

Attachment: pgp2wRQbbjPBo.pgp
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#1063494: engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: engrampa_1.26.0-1+deb12u2_source.changes ACCEPTED into proposed-updates
Next by Date: gtk-layer-shell_0.8.2-1_source.changes ACCEPTED into unstable
Previous by thread: Bug#1063494: marked as done (engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers)
Next by thread: Bug#1063494: marked as done (engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers)
Index(es):
- Date
- Thread