This bug was fixed in the package gnome-autoar - 0.2.4-2ubuntu0.1 --------------- gnome-autoar (0.2.4-2ubuntu0.1) groovy-security; urgency=medium
* SECURITY UPDATE: directory traversal issue (LP: #1901240) - debian/patches/CVE-2020-36241.patch: do not extract files outside the destination dir in gnome-autoar/autoar-extractor.c. - CVE-2020-36241 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 10 Feb 2021 13:55:36 -0500 ** Changed in: gnome-autoar (Ubuntu) Status: Confirmed => Fix Released ** Changed in: gnome-autoar (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-autoar in Ubuntu. https://bugs.launchpad.net/bugs/1901240 Title: Ubuntu GNOME Path Traversal Status in gnome-autoar package in Ubuntu: Fix Released Bug description: Summary: A malicious package may be able to overwrite arbitrary files Proof of concept: 1- Download "example.tar" 2- Click on the right button on a mouse (on "example.tar") 3- Click "Extract Here" 4- Check the "/tmp" path for "test" file Version: Ubuntu 20.04.1 GNOME Files 3.36.3-stable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-autoar/+bug/1901240/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp