Bug#985391: gnome-autoar: CVE-2021-28650

Moritz Muehlenhoff jmm at inutil.org
Mon Jun 7 18:12:10 BST 2021


On Wed, Mar 17, 2021 at 09:36:44AM +0100, Salvatore Bonaccorso wrote:
> Source: gnome-autoar
> Version: 0.2.4-3
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/12
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>,seb128 at ubuntu.com
> Control: fixed -1 0.3.1-1
> 
> Hi,
> 
> I'm X-Debbugs-CC'ing as well explicitly Sebastien.
> 
> The following vulnerability was published for gnome-autoar.
> 
> CVE-2021-28650[0]:
> | autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by
> | GNOME Shell, Nautilus, and other software, allows Directory Traversal
> | during extraction because it lacks a check of whether a file's parent
> | is a symlink in certain complex situations. NOTE: this issue exists
> | because of an incomplete fix for CVE-2020-36241.
> 
> It appears that CVE-2020-36241 was not fixed completely, and resulted
> in CVE-2021-28650 with upstream commit [1]. The corresponding upstream
> issue is not (yet?) public, but maybe you have access to it.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-28650
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28650
> [1] https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4

There's two additional fixes which fix regressions from the security fix:
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/135053d5d3a0320891cf2e2ad4684b648bb46fc8
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/b9590ab77b70e74e9deffd2af6c32908dc3c5aaf

Cheers,
        Moritz



More information about the pkg-gnome-maintainers mailing list