Your message dated Sun, 18 Feb 2024 16:47:10 +0000 with message-id <E1rbkJq-008Q8c-IQ@fasolo.debian.org> and subject line Bug#1063494: fixed in engrampa 1.26.0-1+deb12u2 has caused the Debian Bug report #1063494, regarding engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1063494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063494 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: engrampa: CVE-2023-52138: Path traversal via crafted cpio archives in Engrampa archivers
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 08 Feb 2024 22:47:52 +0100
- Message-id: <[🔎] 170742887277.54521.14037318172522929187.reportbug@eldamar.lan>
Source: engrampa Version: 1.26.1-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for engrampa. CVE-2023-52138[0]: | Engrampa is an archive manager for the MATE environment. Engrampa is | found to be vulnerable to a Path Traversal vulnerability that can be | leveraged to achieve full Remote Command Execution (RCE) on the | target. While handling CPIO archives, the Engrampa Archive manager | follows symlink, cpio by default will follow stored symlinks while | extracting and the Archiver will not check the symlink location, | which leads to arbitrary file writes to unintended locations. When | the victim extracts the archive, the attacker can craft a malicious | cpio or ISO archive to achieve RCE on the target system. This | vulnerability was fixed in commit 63d5dfa. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52138 https://www.cve.org/CVERecord?id=CVE-2023-52138 [1] https://github.com/mate-desktop/engrampa/commit/63d5dfa9005c6b16d0f0ccd888cc859fca78f970 [2] https://github.com/mate-desktop/engrampa/security/advisories/GHSA-c98h-v39w-3r7v Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 1063494-close@bugs.debian.org
- Subject: Bug#1063494: fixed in engrampa 1.26.0-1+deb12u2
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sun, 18 Feb 2024 16:47:10 +0000
- Message-id: <E1rbkJq-008Q8c-IQ@fasolo.debian.org>
- Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Source: engrampa Source-Version: 1.26.0-1+deb12u2 Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> We believe that the bug you reported is fixed in the latest version of engrampa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1063494@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <mike.gabriel@das-netzwerkteam.de> (supplier of updated engrampa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 13 Feb 2024 07:44:28 +0100 Source: engrampa Architecture: source Version: 1.26.0-1+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org> Changed-By: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Closes: 1063494 Changes: engrampa (1.26.0-1+deb12u2) bookworm-security; urgency=medium . * debian/patches: + CVE-2023-52138: Add 0006_use-unar-instead-of-cpio-for-CPIO-archives.patch. Use unar instead of cpio for CPIO archives. (Closes: #1063494). Checksums-Sha1: c61dede8047e69b16112cfdfdf1a45f857bdbdbb 2441 engrampa_1.26.0-1+deb12u2.dsc ddc20fe8eb062e1211a682a0006c67aa83f4374e 1161724 engrampa_1.26.0.orig.tar.xz 2288040437dd90a01fc3abcbc4b64386c758ba68 12508 engrampa_1.26.0-1+deb12u2.debian.tar.xz b15ce38aa621a8a248c829060882cfbd9df41ec0 17301 engrampa_1.26.0-1+deb12u2_source.buildinfo Checksums-Sha256: b4921a326fe3eeefc83fab04059682fab726fb544ff7399eb4c8c23435eceb6a 2441 engrampa_1.26.0-1+deb12u2.dsc d376a93a37dfc949c13a426e099b5646b28f1236edff287b3a8e866aaa85a093 1161724 engrampa_1.26.0.orig.tar.xz a1f07f7111df48cc18ebe6357e44565e7ef4ec5f1c91d413009487ef9df0785a 12508 engrampa_1.26.0-1+deb12u2.debian.tar.xz 5c10fe51c1ac9cfce1e435f346132a99574bf688a92ed7aa6166c0d58eaec8c5 17301 engrampa_1.26.0-1+deb12u2_source.buildinfo Files: cf271a2d1d794313df0a5810086389b3 2441 x11 optional engrampa_1.26.0-1+deb12u2.dsc f4718720cd901cf82f2136da6c29a5e2 1161724 x11 optional engrampa_1.26.0.orig.tar.xz 0c165ba2b9fa2c7308cf4b4f9d3b2b07 12508 x11 optional engrampa_1.26.0-1+deb12u2.debian.tar.xz 77eb852c7dd5ca7e9c85bfd7fdc611bd 17301 x11 optional engrampa_1.26.0-1+deb12u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJVBAEBCAA/FiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmXLjBghHG1pa2UuZ2Fi cmllbEBkYXMtbmV0endlcmt0ZWFtLmRlAAoJEJr0azAldxsxYCcQAIiDp3p+NJoX Xpg0bUD+wgY9Abg02kJ48ZTAQ0Bj+pKXyHw5XbNwRuUxx1EDYD83TCz1Uh7DllBB RFNnMucnojp9d9CvCaOFNyfGcjce25eJkigEplcWi1GXmOJUIlfY8+JLUikgbWKS dhcV/JGxHn62CMzrclsKseT2uqyeqIVGVX1OLGSABNiR3cr3OIz3aujHiLBCcld6 D8qdaoJya44U8iDuO/IKY8YYnBhWqc9P+fkeG/UFHPc3UKeeOQ/joUheaMx0HY1s B+Z+NeZe8VKy1HwYYMKdbJUdiKvtF7UeQqM7rzyGKN+RDkNmW8lW/ZwvK2ZBT47z 2YXyz7Pi/GWcA101ycr4w83FFVl2nVXydD8n/VtXeYrxsgaWDgEddazz6+tF42Vb viwTlplbqDB5uv3iG1Gtcl4sIT7hhzaIV2XAl1kuHqFCr1H45QBtOkTwLfZ64sof 0LedZiEYCqMwqWtIMHJqJ3IPp46tEBHZ5/U1fYe66fc1cKYU0JwfQ3yGuAnq4qPd U5yz3og5EhWp2OdEqE42KEQgdJHXhpEYEz/dHrOQkJ5+4ykQu/5WXmZvePORUi98 4NM7kRH8LppXJJV+8RNhOyys1k9F9JRYaQzJCdD+MGScTEdMX6ntzz0ffNtCyecz hh9+YFuLid/7j/cSJOuW7N2HMKovDTkq =cIni -----END PGP SIGNATURE-----Attachment: pgp2wRQbbjPBo.pgp
Description: PGP signature
--- End Message ---