On Wed, Mar 17, 2021 at 09:36:44AM +0100, Salvatore Bonaccorso wrote: > Source: gnome-autoar > Version: 0.2.4-3 > Severity: important > Tags: security upstream > Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/12 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org>,seb...@ubuntu.com > Control: fixed -1 0.3.1-1 > > Hi, > > I'm X-Debbugs-CC'ing as well explicitly Sebastien. > > The following vulnerability was published for gnome-autoar. > > CVE-2021-28650[0]: > | autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by > | GNOME Shell, Nautilus, and other software, allows Directory Traversal > | during extraction because it lacks a check of whether a file's parent > | is a symlink in certain complex situations. NOTE: this issue exists > | because of an incomplete fix for CVE-2020-36241. > > It appears that CVE-2020-36241 was not fixed completely, and resulted > in CVE-2021-28650 with upstream commit [1]. The corresponding upstream > issue is not (yet?) public, but maybe you have access to it. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-28650 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28650 > [1] > https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
There's two additional fixes which fix regressions from the security fix: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/135053d5d3a0320891cf2e2ad4684b648bb46fc8 https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/b9590ab77b70e74e9deffd2af6c32908dc3c5aaf Cheers, Moritz
