{"id":"CVE-2020-11736","details":"fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.","modified":"2026-04-16T04:30:29.305876532Z","published":"2020-04-13T19:15:11.127Z","related":["ALSA-2021:4179","SUSE-SU-2020:1505-1","SUSE-SU-2020:1557-1","openSUSE-SU-2020:0825-1","openSUSE-SU-2024:10756-1"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202009-06"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4332-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4332-2/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/04/msg00013.html"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/file-roller","events":[{"introduced":"0"},{"last_affected":"3e70dc594044b2792e8e2c50fa8ea79438b1ddfc"},{"fixed":"21dfcdbfe258984db89fb65243a1a888924e45a0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.36.1"}]}}],"versions":["3.0.1","3.0.2","3.1.1","3.1.2","3.1.90","3.1.91","3.1.92","3.10.0","3.10.1","3.11.1","3.11.2","3.11.3","3.11.4","3.11.5","3.11.90","3.11.91","3.11.92","3.12.0","3.12.1","3.13.1","3.13.2","3.13.91","3.13.92","3.14.0","3.14.1","3.15.1","3.15.2","3.15.90","3.15.91","3.15.92","3.16.0","3.16.1","3.16.2","3.16.3","3.16.4","3.19.1","3.19.90","3.19.91","3.2.0","3.2.1","3.20.0","3.20.1","3.20.2","3.21.90","3.21.91","3.22.0","3.22.1","3.22.2","3.22.3","3.23.91","3.23.92","3.24.0","3.24.1","3.25.1","3.25.91","3.26.0","3.26.1","3.27.1","3.27.90","3.27.91","3.28.0","3.29.1","3.29.90","3.29.91","3.3.1","3.3.2","3.3.3","3.3.90","3.3.91","3.3.92","3.30.0","3.30.1","3.31.1","3.31.2","3.31.90","3.31.91","3.31.92","3.32.0","3.32.1","3.32.2","3.35.1","3.35.90","3.35.91","3.35.92","3.36.0","3.36.1","3.4.0","3.4.1","3.4.2","3.5.1","3.5.2","3.5.3","3.5.4","3.5.90","3.5.91","3.5.92","3.6.0","3.6.1","3.6.1.1","3.6.2","3.7.1","3.7.2","3.7.3","3.7.90","3.7.91","3.7.92","3.8.0","3.8.1","3.9.1","3.9.2","3.9.3","3.9.4","3.9.90","3.9.91","3.9.92","FILE_ROLLER_2_13_2","FILE_ROLLER_2_13_4","FILE_ROLLER_2_13_90","FILE_ROLLER_2_13_91","FILE_ROLLER_2_13_92","FILE_ROLLER_2_14_0","FILE_ROLLER_2_14_1","FILE_ROLLER_2_14_2","FILE_ROLLER_2_14_3","FILE_ROLLER_2_15_1","FILE_ROLLER_2_15_90","FILE_ROLLER_2_15_91","FILE_ROLLER_2_15_92","FILE_ROLLER_2_15_93","FILE_ROLLER_2_16_0","FILE_ROLLER_2_16_1","FILE_ROLLER_2_17_1","FILE_ROLLER_2_17_2","FILE_ROLLER_2_17_3","FILE_ROLLER_2_17_4","FILE_ROLLER_2_17_5","FILE_ROLLER_2_17_90","FILE_ROLLER_2_17_91","FILE_ROLLER_2_17_92","FILE_ROLLER_2_18_0","FILE_ROLLER_2_19_1","FILE_ROLLER_2_19_2","FILE_ROLLER_2_19_3","FILE_ROLLER_2_19_4","FILE_ROLLER_2_19_90","FILE_ROLLER_2_19_91","FILE_ROLLER_2_19_92","FILE_ROLLER_2_20_0","FILE_ROLLER_2_20_1","FILE_ROLLER_2_20_2","FILE_ROLLER_2_21_1","FILE_ROLLER_2_21_2","FILE_ROLLER_2_21_91","FILE_ROLLER_2_21_92","FILE_ROLLER_2_22_0","FILE_ROLLER_2_23_1","FILE_ROLLER_2_23_2","FILE_ROLLER_2_23_3","FILE_ROLLER_2_23_4","FILE_ROLLER_2_23_5","FILE_ROLLER_2_23_6","FILE_ROLLER_2_23_91","FILE_ROLLER_2_23_92","FILE_ROLLER_2_24_0","FILE_ROLLER_2_24_1","FILE_ROLLER_2_24_2","FILE_ROLLER_2_25_1","FILE_ROLLER_2_25_2","FILE_ROLLER_2_25_90","FILE_ROLLER_2_25_91","FILE_ROLLER_2_25_92","FILE_ROLLER_2_26_0","FILE_ROLLER_2_26_1","FILE_ROLLER_2_27_1","FILE_ROLLER_2_27_2","FILE_ROLLER_2_27_3","FILE_ROLLER_2_27_90","FILE_ROLLER_2_27_91","FILE_ROLLER_2_27_92","FILE_ROLLER_2_28_0","FILE_ROLLER_2_28_1","FILE_ROLLER_2_29_1","FILE_ROLLER_2_29_2","FILE_ROLLER_2_29_3","FILE_ROLLER_2_29_4","FILE_ROLLER_2_29_5","FILE_ROLLER_2_29_90","FILE_ROLLER_2_29_91","FILE_ROLLER_2_29_92","FILE_ROLLER_2_30_0","FILE_ROLLER_2_30_1","FILE_ROLLER_2_30_1_1","FILE_ROLLER_2_31_1","FILE_ROLLER_2_31_2","FILE_ROLLER_2_31_3","FILE_ROLLER_2_31_4","FILE_ROLLER_2_31_5","FILE_ROLLER_2_31_90","FILE_ROLLER_2_31_91","FILE_ROLLER_2_31_92","FILE_ROLLER_2_32_0","FILE_ROLLER_2_4_0_1","FILE_ROLLER_2_91_0","FILE_ROLLER_2_91_1","FILE_ROLLER_2_91_2","FILE_ROLLER_2_91_3","FILE_ROLLER_2_91_4","FILE_ROLLER_2_91_5","FILE_ROLLER_2_91_6","FILE_ROLLER_2_91_90","FILE_ROLLER_2_91_91","FILE_ROLLER_2_91_92","FILE_ROLLER_2_91_93","FILE_ROLLER_3_0_0","start"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.10"}]},{"events":[{"introduced":"0"},{"last_affected":"20.04"}]}],"vanir_signatures":[{"deprecated":false,"target":{"file":"src/fr-archive-libarchive.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2020-11736-155c6f95","source":"https://gitlab.gnome.org/GNOME/file-roller@21dfcdbfe258984db89fb65243a1a888924e45a0","digest":{"line_hashes":["95385917723954952152686545935893094378","97105830784155770464566615438635742643","306632737854118002414292104102373088147","57913424553042995627072615031115105077","100562731692271825183085485196907839544","298651497325788982640650275848978867113","319394264950515885534520465988877127478","47294577577953722963932565503162664106","273948702616890280881647240280589881474","272890392417249326463960713961549661948","179506783225786967226473831262843678331","314861120285357120543648217803876325105","225533952785851287494446717619576607239","8812003520771277943284835816947609593","206053551948270958591965294830818961352","75275916384227615079226712586050902278","256032366655366056021704912370287575847","12641414983514777817441301290634055979","111015415899745327204635956785598098355","287406378442227732099276969580333187796","132349299994660122083462138388699623711","218677691514100028481150288167962310938","18068216535966220537647144952895369903"],"threshold":0.9}},{"deprecated":false,"id":"CVE-2020-11736-8e4ca4e4","signature_type":"Function","signature_version":"v1","target":{"file":"src/fr-archive-libarchive.c","function":"extract_archive_thread"},"source":"https://gitlab.gnome.org/GNOME/file-roller@21dfcdbfe258984db89fb65243a1a888924e45a0","digest":{"length":5664,"function_hash":"214991395152448538584064251078582305986"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11736.json","vanir_signatures_modified":"2026-04-11T15:27:46Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L"}]}