file-roller may delete the content of linked folder

Bug #1171236 reported by charles r. on 2013-04-21
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
File Roller
Fix Released
High
file-roller (Ubuntu)
High
Unassigned
Trusty
Medium
Tyler Hicks
Xenial
Medium
Tyler Hicks

Bug Description

(Excuse my english, I'm not a native speaker. I will try to be as clear as possible).

After attempting to create an archive from folders who where actually just links, it seems that file-roller deleted all their content.

Here are the steps I did :
- Inside a folder, I had a dozen subfolders. Half of them where just links to folders placed elsewhere.
- In Nautilus, I selected all these subfolders, choosed "compress", then choosed "zip" as the format.
- The archive was created without any error message.

I was expecting all the folders to be added to the archive, regardless of them being links or not.

The disastrous result :
- The archive is unusable. Attempting to expand it results in an error message (I didn't take note, but it was something generic saying the archive couldn't be expanded).
- But more importantly, the content of the folders who where linked has disappeared. That is, the links are still here, the folders which they link to are still here, but they have been emptied.
The files are not in the dustbin, they just disappeared.

I noticed this right after I created the archive, I didn't touch my computer in-between.
That's why I suspect file-roller.

I will try to reproduce this bug in order to confirm it.
But not before I find a way to recover my files, I lost a week of work because of this.

Ubuntu 12.10 x64
file-roller 3.6.1.1-0ubuntu1.1

CVE References

charles r. (tcharlss) wrote :

I made further tests, and I could reproduce this bug on another computer (with the same setup).

It happens when you attempt to extract the archive containing linked folders.
Here are the exact steps to reproduce this bug :

1- Create a folder, say "container"
2- Inside, create another folder, say "real folder"
3- Place some files inside this folder (a week worth of precious work for instance. ah ah!)
4- Create a link of this folder in nautilus (right clic -> create a link)

It should look like this :
-container
        |_real folder (with files inside)
        |_link to real folder

5- Create an archive from "link to real folder" (a zip in my test)
6- Extract that archive anywhere you want.
    You will get an error message saying the files could not be extracted.
    Check "real folder" : all the files should have disappeared !

Another thing to note : I works from one computer to another.
Create a "bogus" archive in computer A, extract it in computer B.
If computer B happens to have the same folders as the links contained inside the archive, they will also be emptied.
(There goes my backup files by the way -and one chance to recover them. I'm so happy).

My disc drives are formatted in ext4 if it's of any help.

Sebastien Bacher (seb128) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at https://wiki.ubuntu.com/Bugs/Upstream/GNOME. If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance.

Changed in file-roller (Ubuntu):
importance: Undecided → High
charles r. (tcharlss) wrote :

I opened a new bug at bugzilla : 698554 (https://bugzilla.gnome.org/show_bug.cgi?id=698554)
It may be a duplicate of bug 647753 (https://bugzilla.gnome.org/show_bug.cgi?id=647753) but I'm not entirely sure, as the description is not clear and it wasn't updated since 2011.

Sebastien Bacher (seb128) wrote :

Thanks for filing the bug upstream, let's see what they say

Changed in file-roller (Ubuntu):
status: New → Triaged
Changed in file-roller:
importance: Unknown → High
status: Unknown → New
Changed in file-roller:
status: New → Fix Released
Changed in file-roller (Ubuntu):
status: Triaged → Fix Committed
Tyler Hicks (tyhicks) on 2016-09-08
Changed in file-roller (Ubuntu Trusty):
status: New → In Progress
Changed in file-roller (Ubuntu Xenial):
status: New → In Progress
Changed in file-roller (Ubuntu Trusty):
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Changed in file-roller (Ubuntu Xenial):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package file-roller - 3.10.2.1-0ubuntu4.2

---------------
file-roller (3.10.2.1-0ubuntu4.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Path traversal flaw allows arbitrary file deletion via
    malicious archive (LP: #1171236)
    - debian/patches/CVE-2016-7162.patch: Do not follow symlinks when deleting
      a folder recursively. Based on upstream patch.
    - CVE-2016-7162

 -- Tyler Hicks <email address hidden> Thu, 08 Sep 2016 09:17:49 -0500

Changed in file-roller (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package file-roller - 3.16.5-0ubuntu1.2

---------------
file-roller (3.16.5-0ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Path traversal flaw allows arbitrary file deletion via
    malicious archive (LP: #1171236)
    - debian/patches/CVE-2016-7162.patch: Do not follow symlinks when deleting
      a folder recursively. Based on upstream patch.
    - CVE-2016-7162

 -- Tyler Hicks <email address hidden> Thu, 08 Sep 2016 09:17:37 -0500

Changed in file-roller (Ubuntu Xenial):
status: In Progress → Fix Released
Tyler Hicks (tyhicks) on 2016-09-08
Changed in file-roller (Ubuntu):
status: Fix Committed → Fix Released
summary: - file-roller may delete the content of linked folder (?)
+ file-roller may delete the content of linked folder
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.