[Desktop-packages] [Bug 1901240] Re: Ubuntu GNOME Path Traversal

Launchpad Bug Tracker Thu, 11 Feb 2021 04:51:17 -0800

This bug was fixed in the package gnome-autoar - 0.2.4-2ubuntu0.1

---------------
gnome-autoar (0.2.4-2ubuntu0.1) groovy-security; urgency=medium


  * SECURITY UPDATE: directory traversal issue (LP: #1901240)
    - debian/patches/CVE-2020-36241.patch: do not extract files outside the
      destination dir in gnome-autoar/autoar-extractor.c.
    - CVE-2020-36241

 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>  Wed, 10 Feb 2021
13:55:36 -0500

** Changed in: gnome-autoar (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: gnome-autoar (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-autoar in Ubuntu.
https://bugs.launchpad.net/bugs/1901240

Title:
  Ubuntu GNOME Path Traversal

Status in gnome-autoar package in Ubuntu:
  Fix Released

Bug description:
  Summary:
  A malicious package may be able to overwrite arbitrary files

  Proof of concept:
  1- Download "example.tar"
  2- Click on the right button on a mouse (on "example.tar")
  3- Click "Extract Here"
  4- Check the "/tmp" path for "test" file

  Version:
  Ubuntu 20.04.1
  GNOME Files 3.36.3-stable

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-autoar/+bug/1901240/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1901240] Re: Ubuntu GNOME Path Traversal

Reply via email to