[Desktop-packages] [Bug 1901240] Re: Ubuntu GNOME Path Traversal
This bug was fixed in the package gnome-autoar - 0.2.3-2ubuntu0.1 --- gnome-autoar (0.2.3-2ubuntu0.1) focal-security; urgency=medium * SECURITY UPDATE: directory traversal issue (LP: #1901240) - debian/patches/CVE-2020-36241.patch: do not extract files outside the destination dir in gnome-autoar/autoar-extractor.c. - CVE-2020-36241 -- Marc Deslauriers Wed, 10 Feb 2021 13:59:00 -0500 ** Changed in: gnome-autoar (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-autoar in Ubuntu. https://bugs.launchpad.net/bugs/1901240 Title: Ubuntu GNOME Path Traversal Status in gnome-autoar package in Ubuntu: Fix Released Bug description: Summary: A malicious package may be able to overwrite arbitrary files Proof of concept: 1- Download "example.tar" 2- Click on the right button on a mouse (on "example.tar") 3- Click "Extract Here" 4- Check the "/tmp" path for "test" file Version: Ubuntu 20.04.1 GNOME Files 3.36.3-stable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-autoar/+bug/1901240/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1901240] Re: Ubuntu GNOME Path Traversal
This bug was fixed in the package gnome-autoar - 0.2.4-2ubuntu0.1 --- gnome-autoar (0.2.4-2ubuntu0.1) groovy-security; urgency=medium * SECURITY UPDATE: directory traversal issue (LP: #1901240) - debian/patches/CVE-2020-36241.patch: do not extract files outside the destination dir in gnome-autoar/autoar-extractor.c. - CVE-2020-36241 -- Marc Deslauriers Wed, 10 Feb 2021 13:55:36 -0500 ** Changed in: gnome-autoar (Ubuntu) Status: Confirmed => Fix Released ** Changed in: gnome-autoar (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-autoar in Ubuntu. https://bugs.launchpad.net/bugs/1901240 Title: Ubuntu GNOME Path Traversal Status in gnome-autoar package in Ubuntu: Fix Released Bug description: Summary: A malicious package may be able to overwrite arbitrary files Proof of concept: 1- Download "example.tar" 2- Click on the right button on a mouse (on "example.tar") 3- Click "Extract Here" 4- Check the "/tmp" path for "test" file Version: Ubuntu 20.04.1 GNOME Files 3.36.3-stable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-autoar/+bug/1901240/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1901240] Re: Ubuntu GNOME Path Traversal
This bug was fixed in the package gnome-autoar - 0.2.3-1ubuntu0.1 --- gnome-autoar (0.2.3-1ubuntu0.1) bionic-security; urgency=medium * SECURITY UPDATE: directory traversal issue (LP: #1901240) - debian/patches/CVE-2020-36241.patch: do not extract files outside the destination dir in gnome-autoar/autoar-extractor.c. - CVE-2020-36241 -- Marc Deslauriers Wed, 10 Feb 2021 13:59:35 -0500 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-autoar in Ubuntu. https://bugs.launchpad.net/bugs/1901240 Title: Ubuntu GNOME Path Traversal Status in gnome-autoar package in Ubuntu: Fix Released Bug description: Summary: A malicious package may be able to overwrite arbitrary files Proof of concept: 1- Download "example.tar" 2- Click on the right button on a mouse (on "example.tar") 3- Click "Extract Here" 4- Check the "/tmp" path for "test" file Version: Ubuntu 20.04.1 GNOME Files 3.36.3-stable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-autoar/+bug/1901240/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1901240] Re: Ubuntu GNOME Path Traversal
Upstream issue: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 and associated fix https://gitlab.gnome.org/GNOME/gnome- autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429 Given that this is public upstream, I'm going to open this issue ap as well. ** Bug watch added: gitlab.gnome.org/GNOME/gnome-autoar/-/issues #7 https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-autoar in Ubuntu. https://bugs.launchpad.net/bugs/1901240 Title: Ubuntu GNOME Path Traversal Status in gnome-autoar package in Ubuntu: Confirmed Bug description: Summary: A malicious package may be able to overwrite arbitrary files Proof of concept: 1- Download "example.tar" 2- Click on the right button on a mouse (on "example.tar") 3- Click "Extract Here" 4- Check the "/tmp" path for "test" file Version: Ubuntu 20.04.1 GNOME Files 3.36.3-stable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-autoar/+bug/1901240/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
