Hi, On Wed, Mar 03, 2021 at 03:06:26PM +0100, Salvatore Bonaccorso wrote: > Hi Michael, > > On Mon, Mar 01, 2021 at 11:24:19AM +0100, Michael Biebl wrote: > > Hi Salvatore > > > > Am 01.03.21 um 10:57 schrieb Salvatore Bonaccorso: > > > Hi, > > > > > > On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote: > > > > Source: gnome-autoar > > > > Version: 0.2.4-2 > > > > Severity: important > > > > Tags: security upstream > > > > Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 > > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > <t...@security.debian.org> > > > > Control: found -1 0.2.3-2 > > > > > > > > Hi, > > > > > > > > The following vulnerability was published for gnome-autoar. > > > > > > > > CVE-2020-36241[0]: > > > > | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by > > > > | GNOME Shell, Nautilus, and other software, allows Directory Traversal > > > > | during extraction because it lacks a check of whether a file's parent > > > > | is a symlink to a directory outside of the intended extraction > > > > | location. > > > > > > > > If possible this ideally should be fixed in bullseye in time. > > > > > > Would it be possible to cherry-pick the fix so we have the fix > > > included in bullseye? > > > > > > Seems reasonable. That said, I haven't really done any GNOME related uploads > > for quite a while. > > Jupp thanks for the reply! (I just pinged explicitly the last couple of > uploaders). Anyone else from the team who could handle that?
Probably as well on your radar already, but there is as well a regression fix needed for it as per https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/cc4e8b7ccc973ac69d75a7423fbe1bcdc51e2cb3 Regards, Salvatore