On Wed, Mar 17, 2021 at 09:36:44AM +0100, Salvatore Bonaccorso wrote:
> Source: gnome-autoar
> Version: 0.2.4-3
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/12
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
> ,seb...@ubuntu.com
> Control: fixed -1 0.3.1-1
>
> Hi,
>
> I'm X-Debbugs-CC'ing as well explicitly Sebastien.
>
> The following vulnerability was published for gnome-autoar.
>
> CVE-2021-28650[0]:
> | autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by
> | GNOME Shell, Nautilus, and other software, allows Directory Traversal
> | during extraction because it lacks a check of whether a file's parent
> | is a symlink in certain complex situations. NOTE: this issue exists
> | because of an incomplete fix for CVE-2020-36241.
>
> It appears that CVE-2020-36241 was not fixed completely, and resulted
> in CVE-2021-28650 with upstream commit [1]. The corresponding upstream
> issue is not (yet?) public, but maybe you have access to it.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-28650
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28650
> [1]
> https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
There's two additional fixes which fix regressions from the security fix:
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/135053d5d3a0320891cf2e2ad4684b648bb46fc8
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/b9590ab77b70e74e9deffd2af6c32908dc3c5aaf
Cheers,
Moritz
