CVE-2019-16680

Publication date 21 September 2019

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
file-roller	19.04 disco	Not affected
	18.04 LTS bionic	Fixed 3.28.0-1ubuntu1.1
	16.04 LTS xenial	Fixed 3.16.5-0ubuntu1.3
	14.04 LTS trusty	Not in release

How can I get the fixes?
What do statuses mean?

Severity score breakdown

Parameter	Value
Base score	4.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-4139-1
File Roller vulnerability
25 September 2019

Other references

https://bugzilla.gnome.org/show_bug.cgi?id=794337
https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2
https://gitlab.gnome.org/GNOME/file-roller/commit/e8fb3e24dae711e4fb0d6777e0016cdda8787bc1
https://www.cve.org/CVERecord?id=CVE-2019-16680