The _g_file_remove_directory function in file-utils.c in File Roller 3.5.4 through 3.20.2 allows remote attackers to delete arbitrary files via a symlink attack on a folder in an archive.
Related bugs and status
CVE-2016-7162 (Candidate)
is related to these bugs: