Bug#982737: gnome-autoar: CVE-2020-36241
Salvatore Bonaccorso
carnil at debian.org
Wed Mar 3 14:06:26 GMT 2021
Hi Michael,
On Mon, Mar 01, 2021 at 11:24:19AM +0100, Michael Biebl wrote:
> Hi Salvatore
>
> Am 01.03.21 um 10:57 schrieb Salvatore Bonaccorso:
> > Hi,
> >
> > On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote:
> > > Source: gnome-autoar
> > > Version: 0.2.4-2
> > > Severity: important
> > > Tags: security upstream
> > > Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
> > > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> > > Control: found -1 0.2.3-2
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for gnome-autoar.
> > >
> > > CVE-2020-36241[0]:
> > > | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by
> > > | GNOME Shell, Nautilus, and other software, allows Directory Traversal
> > > | during extraction because it lacks a check of whether a file's parent
> > > | is a symlink to a directory outside of the intended extraction
> > > | location.
> > >
> > > If possible this ideally should be fixed in bullseye in time.
> >
> > Would it be possible to cherry-pick the fix so we have the fix
> > included in bullseye?
>
>
> Seems reasonable. That said, I haven't really done any GNOME related uploads
> for quite a while.
Jupp thanks for the reply! (I just pinged explicitly the last couple of
uploaders). Anyone else from the team who could handle that?
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list