Opened 4 years ago
Closed 4 years ago
#14649 closed enhancement (fixed)
gnome-autoar-0.3.0
Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | elevated | Milestone: | 10.1 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
New minor version - Security Release (CVE-2020-36241)
Change History (5)
comment:1 by , 4 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 4 years ago
From NVD
CVE-2020-36241 Detail Current Description autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.
NVD marks it as Medium, so let's go with that. However it could be exploitable through automatic indexing in Tracker, so I'm kind of on the fence about that.
comment:4 by , 4 years ago
Priority: | high → elevated |
---|
Note:
See TracTickets
for help on using tickets.