{"id":"CVE-2020-36314","details":"fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.","modified":"2026-04-16T04:39:14.563540636Z","published":"2021-04-07T12:15:12.733Z","related":["ALSA-2021:4179","SUSE-SU-2025:0032-1","openSUSE-SU-2024:10756-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75/"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/file-roller/-/issues/108"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/file-roller","events":[{"introduced":"0"},{"last_affected":"25f9db9770ff5f68aeaffce2e329ef39ae47729d"},{"fixed":"e970f4966bf388f6e7c277357c8b186c645683ae"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.38.0"}]}}],"versions":["3.0.1","3.0.2","3.1.1","3.1.2","3.1.90","3.1.91","3.1.92","3.10.0","3.10.1","3.11.1","3.11.2","3.11.3","3.11.4","3.11.5","3.11.90","3.11.91","3.11.92","3.12.0","3.12.1","3.13.1","3.13.2","3.13.91","3.13.92","3.14.0","3.14.1","3.15.1","3.15.2","3.15.90","3.15.91","3.15.92","3.16.0","3.16.1","3.16.2","3.16.3","3.16.4","3.19.1","3.19.90","3.19.91","3.2.0","3.2.1","3.20.0","3.20.1","3.20.2","3.21.90","3.21.91","3.22.0","3.22.1","3.22.2","3.22.3","3.23.91","3.23.92","3.24.0","3.24.1","3.25.1","3.25.91","3.26.0","3.26.1","3.27.1","3.27.90","3.27.91","3.28.0","3.29.1","3.29.90","3.29.91","3.3.1","3.3.2","3.3.3","3.3.90","3.3.91","3.3.92","3.30.0","3.30.1","3.31.1","3.31.2","3.31.90","3.31.91","3.31.92","3.32.0","3.32.1","3.32.2","3.35.1","3.35.90","3.35.91","3.35.92","3.36.0","3.36.1","3.36.2","3.37.90","3.38.0","3.4.0","3.4.1","3.4.2","3.5.1","3.5.2","3.5.3","3.5.4","3.5.90","3.5.91","3.5.92","3.6.0","3.6.1","3.6.1.1","3.6.2","3.7.1","3.7.2","3.7.3","3.7.90","3.7.91","3.7.92","3.8.0","3.8.1","3.9.1","3.9.2","3.9.3","3.9.4","3.9.90","3.9.91","3.9.92","FILE_ROLLER_2_13_2","FILE_ROLLER_2_13_4","FILE_ROLLER_2_13_90","FILE_ROLLER_2_13_91","FILE_ROLLER_2_13_92","FILE_ROLLER_2_14_0","FILE_ROLLER_2_14_1","FILE_ROLLER_2_14_2","FILE_ROLLER_2_14_3","FILE_ROLLER_2_15_1","FILE_ROLLER_2_15_90","FILE_ROLLER_2_15_91","FILE_ROLLER_2_15_92","FILE_ROLLER_2_15_93","FILE_ROLLER_2_16_0","FILE_ROLLER_2_16_1","FILE_ROLLER_2_17_1","FILE_ROLLER_2_17_2","FILE_ROLLER_2_17_3","FILE_ROLLER_2_17_4","FILE_ROLLER_2_17_5","FILE_ROLLER_2_17_90","FILE_ROLLER_2_17_91","FILE_ROLLER_2_17_92","FILE_ROLLER_2_18_0","FILE_ROLLER_2_19_1","FILE_ROLLER_2_19_2","FILE_ROLLER_2_19_3","FILE_ROLLER_2_19_4","FILE_ROLLER_2_19_90","FILE_ROLLER_2_19_91","FILE_ROLLER_2_19_92","FILE_ROLLER_2_20_0","FILE_ROLLER_2_20_1","FILE_ROLLER_2_20_2","FILE_ROLLER_2_21_1","FILE_ROLLER_2_21_2","FILE_ROLLER_2_21_91","FILE_ROLLER_2_21_92","FILE_ROLLER_2_22_0","FILE_ROLLER_2_23_1","FILE_ROLLER_2_23_2","FILE_ROLLER_2_23_3","FILE_ROLLER_2_23_4","FILE_ROLLER_2_23_5","FILE_ROLLER_2_23_6","FILE_ROLLER_2_23_91","FILE_ROLLER_2_23_92","FILE_ROLLER_2_24_0","FILE_ROLLER_2_24_1","FILE_ROLLER_2_24_2","FILE_ROLLER_2_25_1","FILE_ROLLER_2_25_2","FILE_ROLLER_2_25_90","FILE_ROLLER_2_25_91","FILE_ROLLER_2_25_92","FILE_ROLLER_2_26_0","FILE_ROLLER_2_26_1","FILE_ROLLER_2_27_1","FILE_ROLLER_2_27_2","FILE_ROLLER_2_27_3","FILE_ROLLER_2_27_90","FILE_ROLLER_2_27_91","FILE_ROLLER_2_27_92","FILE_ROLLER_2_28_0","FILE_ROLLER_2_28_1","FILE_ROLLER_2_29_1","FILE_ROLLER_2_29_2","FILE_ROLLER_2_29_3","FILE_ROLLER_2_29_4","FILE_ROLLER_2_29_5","FILE_ROLLER_2_29_90","FILE_ROLLER_2_29_91","FILE_ROLLER_2_29_92","FILE_ROLLER_2_30_0","FILE_ROLLER_2_30_1","FILE_ROLLER_2_30_1_1","FILE_ROLLER_2_31_1","FILE_ROLLER_2_31_2","FILE_ROLLER_2_31_3","FILE_ROLLER_2_31_4","FILE_ROLLER_2_31_5","FILE_ROLLER_2_31_90","FILE_ROLLER_2_31_91","FILE_ROLLER_2_31_92","FILE_ROLLER_2_32_0","FILE_ROLLER_2_4_0_1","FILE_ROLLER_2_91_0","FILE_ROLLER_2_91_1","FILE_ROLLER_2_91_2","FILE_ROLLER_2_91_3","FILE_ROLLER_2_91_4","FILE_ROLLER_2_91_5","FILE_ROLLER_2_91_6","FILE_ROLLER_2_91_90","FILE_ROLLER_2_91_91","FILE_ROLLER_2_91_92","FILE_ROLLER_2_91_93","FILE_ROLLER_3_0_0","start"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"34"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36314.json","vanir_signatures":[{"deprecated":false,"signature_version":"v1","digest":{"length":6450,"function_hash":"60808048955709512113614328805455686923"},"signature_type":"Function","source":"https://gitlab.gnome.org/GNOME/file-roller@e970f4966bf388f6e7c277357c8b186c645683ae","target":{"function":"extract_archive_thread","file":"src/fr-archive-libarchive.c"},"id":"CVE-2020-36314-2364fd42"},{"id":"CVE-2020-36314-3218266e","source":"https://gitlab.gnome.org/GNOME/file-roller@e970f4966bf388f6e7c277357c8b186c645683ae","digest":{"length":607,"function_hash":"221862826492744174448882073341140660307"},"signature_version":"v1","signature_type":"Function","target":{"function":"_g_path_is_external_to_destination","file":"src/fr-archive-libarchive.c"},"deprecated":false},{"deprecated":false,"signature_type":"Function","digest":{"length":574,"function_hash":"225555408848509352649734333218533066612"},"source":"https://gitlab.gnome.org/GNOME/file-roller@e970f4966bf388f6e7c277357c8b186c645683ae","signature_version":"v1","target":{"function":"_g_file_is_external_link","file":"src/fr-archive-libarchive.c"},"id":"CVE-2020-36314-3bdc2ee2"},{"deprecated":false,"source":"https://gitlab.gnome.org/GNOME/file-roller@e970f4966bf388f6e7c277357c8b186c645683ae","digest":{"line_hashes":["146709715939960724337984117600763767179","339292542750140785681510903034105870224","61875278375570892821098603046798246561","9330766702121949749193116613950402458","139621286019227627471182516234522632973","253498509519190053050280382239615365662","59352099754258104963826902346600857353","15205626340177883025994517826932947242","269112921522858811606359151611391841919","282762587831354914157114927780954489518","94595517170135421982233436038889957540","258843169712597735522550442016088699092","305014681621814902859561482479672603785","106373370379301050872180296754894752797","166153319792990008894491681968441981978","172409883153889635762808570190416317623","59818968609041984036945092529645845813","175218409851787736851333769572078405971","17113982375513870659640008184570272246","95095239404770777455759279768267648551","211147439344134261834870390964796942286","316333989518642035503790208939481328725","211808846282800040036471567809205776437","87064133438308804370849661192319995610","217188080634658278566619999871655327423","186640571692880731674236388179376812113","160325128240631869355286106680032159907","190196787794967193605227218316443864987","125989739605580149557292587885226939523","34358751167327713231375788334684889236","174464104724081770578147776848587067707","209997232111927185028180963883771771337","283617308596420261888664405384249959479","330170261065734099579408535797325582009","51286193091577489434886348106173399315","162085901981231389655052844769446399440","149977351005032867707416397657337136903","61875278375570892821098603046798246561","9330766702121949749193116613950402458","285395783860028710305179130236877206594","182106710661689288703119735941506535191","247093038411034937787456835547337124872","31738314008231641698851217801887981628","309711283108608653692582090840606050484","330525804751936660857897758681898188387","166446326209426793592442228934490187998","283309492847414812467451188217850024293","238159692836943335195463112226658417945","329953309676211047576268453301133120524","321311068558485747022267600066324895626","339184105175035333071544431659902864589","327524862563747969385012655824980711684","41156593881384362318774313794676142904","208788113200024406196378464063681708935","153873218480326209053260067020202982385","303235726141394301577409669637759581235","308334083766018209295213333542932706217","96416529238657292593388119774956125573","175538751908827492137131447310603896379","211122986791249401185149796701217349195","320354896816648722737588298195663991306","319597738784256129866939466325643336173","43440380073842771978682096697109832629","41074302152437806050277331509859900068","61563206650722470387135163230619936383","266932053986537170036898743238015296936","226207979753920528157978555471342888922","198869584461651495594300288719767699204","336497463834823330095709743882419554036","283708578454091339762301713036289880254","203478842179416947683365690375817902093","124511053327699945457999862393893920877","295558116060533278747699984223012980710","170476023375528992982554261822180028905","104912271197867939507078593505647767818","92518666592401086780939486666771672990","224484994291639959088328409081130961198","152038198070274558671006613990696813652","331458564215768077372960133616139681793","45553021009269892167052076222981899725","58463451515051538920586302687493629123","175693348568067947358319989115602115444","15192357812979915149219519770168361566","161006039304731174134311122121443195174","201532959395590088997840615776273212443","14380720067579882898163090373395488232","247093038411034937787456835547337124872","31738314008231641698851217801887981628","309711283108608653692582090840606050484","330525804751936660857897758681898188387","241989282876723620409227140451357862211","2547700575424853994325559819059689279","80342930890429303859239855681031515920","92518666592401086780939486666771672990","224484994291639959088328409081130961198","45553021009269892167052076222981899725","58463451515051538920586302687493629123","70272866685011805801234117246910269332","82381267178719591418649516733868065432","116438243239424002785498866370044178676","158182987833810717907407811528224842214","8871850198502240683468577164925797305","133081834029466068120005964067472447091","143917871285439392202171140879783940993","104212490712745305036860141525303761085","166900524688405353612781243253450318310","280220251396634263758167077386372050282","116922807588638777035506432014800070092","188889080150862448265302819644136723532","226954291462105304296779657971084332274","330119552645069808028021613831211373716","182129028155667278043158366077447801062","121068187868981962691750451105296784474","66651885385417969885348701915491119710","79973790705147843339350223599674721450","302311904733875103776792268455204124474","309314296294565765534731549157228893346","107604141983718072273420107334744061161","330197757295130754756991416251106594588","83253584824601087573820988722221943333"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","target":{"file":"src/fr-archive-libarchive.c"},"id":"CVE-2020-36314-4769bcf8"},{"id":"CVE-2020-36314-a8349b33","source":"https://gitlab.gnome.org/GNOME/file-roller@e970f4966bf388f6e7c277357c8b186c645683ae","digest":{"length":901,"function_hash":"335236319665612153582736678377402884593"},"signature_version":"v1","signature_type":"Function","target":{"function":"_symlink_is_external_to_destination","file":"src/fr-archive-libarchive.c"},"deprecated":false}],"vanir_signatures_modified":"2026-04-11T16:25:21Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L"}]}