Bug#982737: gnome-autoar: CVE-2020-36241
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 1 09:57:18 GMT 2021
Hi,
On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote:
> Source: gnome-autoar
> Version: 0.2.4-2
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> Control: found -1 0.2.3-2
>
> Hi,
>
> The following vulnerability was published for gnome-autoar.
>
> CVE-2020-36241[0]:
> | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by
> | GNOME Shell, Nautilus, and other software, allows Directory Traversal
> | during extraction because it lacks a check of whether a file's parent
> | is a symlink to a directory outside of the intended extraction
> | location.
>
> If possible this ideally should be fixed in bullseye in time.
Would it be possible to cherry-pick the fix so we have the fix
included in bullseye?
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list