Source: gnome-autoar Version: 0.2.4-3 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/12 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>,[email protected] Control: fixed -1 0.3.1-1
Hi, I'm X-Debbugs-CC'ing as well explicitly Sebastien. The following vulnerability was published for gnome-autoar. CVE-2021-28650[0]: | autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by | GNOME Shell, Nautilus, and other software, allows Directory Traversal | during extraction because it lacks a check of whether a file's parent | is a symlink in certain complex situations. NOTE: this issue exists | because of an incomplete fix for CVE-2020-36241. It appears that CVE-2020-36241 was not fixed completely, and resulted in CVE-2021-28650 with upstream commit [1]. The corresponding upstream issue is not (yet?) public, but maybe you have access to it. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-28650 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28650 [1] https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4 Regards, Salvatore
