Bug#982737: gnome-autoar: CVE-2020-36241
Michael Biebl
biebl at debian.org
Mon Mar 1 10:24:19 GMT 2021
Hi Salvatore
Am 01.03.21 um 10:57 schrieb Salvatore Bonaccorso:
> Hi,
>
> On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote:
>> Source: gnome-autoar
>> Version: 0.2.4-2
>> Severity: important
>> Tags: security upstream
>> Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
>> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>> Control: found -1 0.2.3-2
>>
>> Hi,
>>
>> The following vulnerability was published for gnome-autoar.
>>
>> CVE-2020-36241[0]:
>> | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by
>> | GNOME Shell, Nautilus, and other software, allows Directory Traversal
>> | during extraction because it lacks a check of whether a file's parent
>> | is a symlink to a directory outside of the intended extraction
>> | location.
>>
>> If possible this ideally should be fixed in bullseye in time.
>
> Would it be possible to cherry-pick the fix so we have the fix
> included in bullseye?
Seems reasonable. That said, I haven't really done any GNOME related
uploads for quite a while.
Regards,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20210301/a73d907b/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list