CVE-2023-52138: 
NixOS vulnerability analysis and mitigation

Engrampa, an archive manager for the MATE environment, was found to be vulnerable to a Path Traversal vulnerability (CVE-2023-52138) that could be leveraged to achieve full Remote Command Execution (RCE). The vulnerability was discovered in versions prior to 1.26.2 and was fixed in commit 63d5dfa (GitHub Commit).

The vulnerability exists in the handling of CPIO archives, where the Engrampa Archive manager follows symlinks by default during extraction without properly validating the symlink location. This behavior leads to arbitrary file writes to unintended locations on the system. The vulnerability has been assigned a CVSS v3.1 base score of 9.6 CRITICAL by NIST (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and 8.2 HIGH by GitHub (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N) (NVD).

An attacker can craft malicious CPIO or ISO archives that exploit this vulnerability to write files to sensitive locations such as ~/.ssh, ~/.bashrc, and ~/.config/autostart/, potentially achieving full remote command execution on the target system when the victim extracts the archive (GitHub Advisory).

The vulnerability has been patched in Engrampa version 1.26.2 by switching from cpio to unar for handling CPIO archives. Users are advised to upgrade to this version or later. Various distributions have also released security updates, including Debian 10 (version 1.20.2-1+deb10u1) and Fedora 39 (version 1.26.2-1.fc39) (Debian Advisory, Fedora Update).