Hi Michael, On Mon, Mar 01, 2021 at 11:24:19AM +0100, Michael Biebl wrote: > Hi Salvatore > > Am 01.03.21 um 10:57 schrieb Salvatore Bonaccorso: > > Hi, > > > > On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote: > > > Source: gnome-autoar > > > Version: 0.2.4-2 > > > Severity: important > > > Tags: security upstream > > > Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 > > > X-Debbugs-Cc: [email protected], Debian Security Team > > > <[email protected]> > > > Control: found -1 0.2.3-2 > > > > > > Hi, > > > > > > The following vulnerability was published for gnome-autoar. > > > > > > CVE-2020-36241[0]: > > > | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by > > > | GNOME Shell, Nautilus, and other software, allows Directory Traversal > > > | during extraction because it lacks a check of whether a file's parent > > > | is a symlink to a directory outside of the intended extraction > > > | location. > > > > > > If possible this ideally should be fixed in bullseye in time. > > > > Would it be possible to cherry-pick the fix so we have the fix > > included in bullseye? > > > Seems reasonable. That said, I haven't really done any GNOME related uploads > for quite a while.
Jupp thanks for the reply! (I just pinged explicitly the last couple of uploaders). Anyone else from the team who could handle that? Regards, Salvatore
