This bug was fixed in the package file-roller - 3.16.5-0ubuntu1.2
---------------
file-roller (3.16.5-0ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: Path traversal flaw allows arbitrary file deletion via
malicious archive (LP: #1171236)
- debian/patches/CVE-2016-7162.patch: Do not follow symlinks when deleting
a folder recursively. Based on upstream patch.
- CVE-2016-7162
-- Tyler Hicks <tyhi...@canonical.com> Thu, 08 Sep 2016 09:17:37 -0500
** Changed in: file-roller (Ubuntu Xenial)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to file-roller in Ubuntu.
https://bugs.launchpad.net/bugs/1171236
Title:
file-roller may delete the content of linked folder (?)
Status in File Roller:
Fix Released
Status in file-roller package in Ubuntu:
Fix Committed
Status in file-roller source package in Trusty:
Fix Released
Status in file-roller source package in Xenial:
Fix Released
Bug description:
(Excuse my english, I'm not a native speaker. I will try to be as
clear as possible).
After attempting to create an archive from folders who where actually
just links, it seems that file-roller deleted all their content.
Here are the steps I did :
- Inside a folder, I had a dozen subfolders. Half of them where just links to
folders placed elsewhere.
- In Nautilus, I selected all these subfolders, choosed "compress", then
choosed "zip" as the format.
- The archive was created without any error message.
I was expecting all the folders to be added to the archive, regardless
of them being links or not.
The disastrous result :
- The archive is unusable. Attempting to expand it results in an error
message (I didn't take note, but it was something generic saying the archive
couldn't be expanded).
- But more importantly, the content of the folders who where linked has
disappeared. That is, the links are still here, the folders which they link to
are still here, but they have been emptied.
The files are not in the dustbin, they just disappeared.
I noticed this right after I created the archive, I didn't touch my computer
in-between.
That's why I suspect file-roller.
I will try to reproduce this bug in order to confirm it.
But not before I find a way to recover my files, I lost a week of work
because of this.
Ubuntu 12.10 x64
file-roller 3.6.1.1-0ubuntu1.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/file-roller/+bug/1171236/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
