Bug#982737: gnome-autoar: CVE-2020-36241
Hi Sebastien, On Mon, Mar 08, 2021 at 01:28:51PM +0100, Sebastien Bacher wrote: > Hey there > > Le 06/03/2021 à 20:46, Salvatore Bonaccorso a écrit : > > Probably as well on your radar already, but there is as well a > > regression fix needed for it as per > > > > https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/cc4e8b7ccc973ac69d75a7423fbe1bcdc51e2cb3 > Thanks Salvatore for pointing that out. I've uploaded a backport of the > CVE patch + the regression fix to unstable now Thank you! Salvatore
Bug#982737: gnome-autoar: CVE-2020-36241
Hey there Le 06/03/2021 à 20:46, Salvatore Bonaccorso a écrit : > Probably as well on your radar already, but there is as well a > regression fix needed for it as per > > https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/cc4e8b7ccc973ac69d75a7423fbe1bcdc51e2cb3 Thanks Salvatore for pointing that out. I've uploaded a backport of the CVE patch + the regression fix to unstable now Cheers, Sebastien Bacher
Bug#982737: gnome-autoar: CVE-2020-36241
Hi, On Wed, Mar 03, 2021 at 03:06:26PM +0100, Salvatore Bonaccorso wrote: > Hi Michael, > > On Mon, Mar 01, 2021 at 11:24:19AM +0100, Michael Biebl wrote: > > Hi Salvatore > > > > Am 01.03.21 um 10:57 schrieb Salvatore Bonaccorso: > > > Hi, > > > > > > On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote: > > > > Source: gnome-autoar > > > > Version: 0.2.4-2 > > > > Severity: important > > > > Tags: security upstream > > > > Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 > > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > > > Control: found -1 0.2.3-2 > > > > > > > > Hi, > > > > > > > > The following vulnerability was published for gnome-autoar. > > > > > > > > CVE-2020-36241[0]: > > > > | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by > > > > | GNOME Shell, Nautilus, and other software, allows Directory Traversal > > > > | during extraction because it lacks a check of whether a file's parent > > > > | is a symlink to a directory outside of the intended extraction > > > > | location. > > > > > > > > If possible this ideally should be fixed in bullseye in time. > > > > > > Would it be possible to cherry-pick the fix so we have the fix > > > included in bullseye? > > > > > > Seems reasonable. That said, I haven't really done any GNOME related uploads > > for quite a while. > > Jupp thanks for the reply! (I just pinged explicitly the last couple of > uploaders). Anyone else from the team who could handle that? Probably as well on your radar already, but there is as well a regression fix needed for it as per https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/cc4e8b7ccc973ac69d75a7423fbe1bcdc51e2cb3 Regards, Salvatore
Bug#982737: gnome-autoar: CVE-2020-36241
Hi Michael, On Mon, Mar 01, 2021 at 11:24:19AM +0100, Michael Biebl wrote: > Hi Salvatore > > Am 01.03.21 um 10:57 schrieb Salvatore Bonaccorso: > > Hi, > > > > On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote: > > > Source: gnome-autoar > > > Version: 0.2.4-2 > > > Severity: important > > > Tags: security upstream > > > Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > Control: found -1 0.2.3-2 > > > > > > Hi, > > > > > > The following vulnerability was published for gnome-autoar. > > > > > > CVE-2020-36241[0]: > > > | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by > > > | GNOME Shell, Nautilus, and other software, allows Directory Traversal > > > | during extraction because it lacks a check of whether a file's parent > > > | is a symlink to a directory outside of the intended extraction > > > | location. > > > > > > If possible this ideally should be fixed in bullseye in time. > > > > Would it be possible to cherry-pick the fix so we have the fix > > included in bullseye? > > > Seems reasonable. That said, I haven't really done any GNOME related uploads > for quite a while. Jupp thanks for the reply! (I just pinged explicitly the last couple of uploaders). Anyone else from the team who could handle that? Regards, Salvatore
Bug#982737: gnome-autoar: CVE-2020-36241
Hi Salvatore Am 01.03.21 um 10:57 schrieb Salvatore Bonaccorso: Hi, On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote: Source: gnome-autoar Version: 0.2.4-2 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 0.2.3-2 Hi, The following vulnerability was published for gnome-autoar. CVE-2020-36241[0]: | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by | GNOME Shell, Nautilus, and other software, allows Directory Traversal | during extraction because it lacks a check of whether a file's parent | is a symlink to a directory outside of the intended extraction | location. If possible this ideally should be fixed in bullseye in time. Would it be possible to cherry-pick the fix so we have the fix included in bullseye? Seems reasonable. That said, I haven't really done any GNOME related uploads for quite a while. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#982737: gnome-autoar: CVE-2020-36241
Hi, On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote: > Source: gnome-autoar > Version: 0.2.4-2 > Severity: important > Tags: security upstream > Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > Control: found -1 0.2.3-2 > > Hi, > > The following vulnerability was published for gnome-autoar. > > CVE-2020-36241[0]: > | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by > | GNOME Shell, Nautilus, and other software, allows Directory Traversal > | during extraction because it lacks a check of whether a file's parent > | is a symlink to a directory outside of the intended extraction > | location. > > If possible this ideally should be fixed in bullseye in time. Would it be possible to cherry-pick the fix so we have the fix included in bullseye? Regards, Salvatore
Bug#982737: gnome-autoar: CVE-2020-36241
Source: gnome-autoar Version: 0.2.4-2 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 0.2.3-2 Hi, The following vulnerability was published for gnome-autoar. CVE-2020-36241[0]: | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by | GNOME Shell, Nautilus, and other software, allows Directory Traversal | during extraction because it lacks a check of whether a file's parent | is a symlink to a directory outside of the intended extraction | location. If possible this ideally should be fixed in bullseye in time. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-36241 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36241 [1] https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429 [2] https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 Regards, Salvatore