Bug#982737: gnome-autoar: CVE-2020-36241
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 6 19:46:02 GMT 2021
Hi,
On Wed, Mar 03, 2021 at 03:06:26PM +0100, Salvatore Bonaccorso wrote:
> Hi Michael,
>
> On Mon, Mar 01, 2021 at 11:24:19AM +0100, Michael Biebl wrote:
> > Hi Salvatore
> >
> > Am 01.03.21 um 10:57 schrieb Salvatore Bonaccorso:
> > > Hi,
> > >
> > > On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote:
> > > > Source: gnome-autoar
> > > > Version: 0.2.4-2
> > > > Severity: important
> > > > Tags: security upstream
> > > > Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
> > > > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> > > > Control: found -1 0.2.3-2
> > > >
> > > > Hi,
> > > >
> > > > The following vulnerability was published for gnome-autoar.
> > > >
> > > > CVE-2020-36241[0]:
> > > > | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by
> > > > | GNOME Shell, Nautilus, and other software, allows Directory Traversal
> > > > | during extraction because it lacks a check of whether a file's parent
> > > > | is a symlink to a directory outside of the intended extraction
> > > > | location.
> > > >
> > > > If possible this ideally should be fixed in bullseye in time.
> > >
> > > Would it be possible to cherry-pick the fix so we have the fix
> > > included in bullseye?
> >
> >
> > Seems reasonable. That said, I haven't really done any GNOME related uploads
> > for quite a while.
>
> Jupp thanks for the reply! (I just pinged explicitly the last couple of
> uploaders). Anyone else from the team who could handle that?
Probably as well on your radar already, but there is as well a
regression fix needed for it as per
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/cc4e8b7ccc973ac69d75a7423fbe1bcdc51e2cb3
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list