CVE-2020-11736: 
NixOS vulnerability analysis and mitigation

A directory traversal vulnerability was discovered in GNOME file-roller through version 3.36.1, identified as CVE-2020-11736. The vulnerability exists in the fr-archive-libarchive.c component, which fails to properly check whether a file's parent is a symlink to a directory outside of the intended extraction location (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 3.9 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L. The issue is classified under CWE-59 (Improper Link Resolution Before File Access) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

When exploited, this vulnerability could allow an attacker to expose sensitive information through incorrect handling of symlinks during file extraction (Ubuntu Notice, Gentoo Advisory).

The vulnerability has been fixed in file-roller version 3.36.3 and later. Multiple Linux distributions have released security updates: Ubuntu 20.04 LTS (3.36.1-1ubuntu0.1), Ubuntu 19.10 (3.32.2-1ubuntu0.1), Ubuntu 18.04 (3.28.0-1ubuntu1.2), and Ubuntu 16.04 (3.16.5-0ubuntu1.4). Debian 8 'Jessie' users should upgrade to version 3.14.1-1+deb8u2 (Ubuntu Notice, Debian Advisory).