Bug#985391: gnome-autoar: CVE-2021-28650
jmm at inutil.org
Mon Jun 7 18:12:10 BST 2021
On Wed, Mar 17, 2021 at 09:36:44AM +0100, Salvatore Bonaccorso wrote:
> Source: gnome-autoar
> Version: 0.2.4-3
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/12
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>,seb128 at ubuntu.com
> Control: fixed -1 0.3.1-1
> I'm X-Debbugs-CC'ing as well explicitly Sebastien.
> The following vulnerability was published for gnome-autoar.
> | autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by
> | GNOME Shell, Nautilus, and other software, allows Directory Traversal
> | during extraction because it lacks a check of whether a file's parent
> | is a symlink in certain complex situations. NOTE: this issue exists
> | because of an incomplete fix for CVE-2020-36241.
> It appears that CVE-2020-36241 was not fixed completely, and resulted
> in CVE-2021-28650 with upstream commit . The corresponding upstream
> issue is not (yet?) public, but maybe you have access to it.
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> For further information see:
>  https://security-tracker.debian.org/tracker/CVE-2021-28650
>  https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
There's two additional fixes which fix regressions from the security fix:
More information about the pkg-gnome-maintainers