Opened 5 months ago

Closed 5 months ago

#14649 closed enhancement (fixed)

gnome-autoar-0.3.0

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version - Security Release (CVE-2020-36241)

Change History (5)

comment:1 by Douglas R. Reno, 5 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 5 months ago

News
====

* Recognize MIME type aliases of extractable archives (Hernawan Fa'iz Abdillah)
* Add extraction support for password-protected archives (Felipe Borges)
* CVE-2020-36241: Prevent extraction outside the destination dir (Ondrej Holy)

comment:3 by Douglas R. Reno, 5 months ago

From NVD

CVE-2020-36241 Detail
Current Description

autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

NVD marks it as Medium, so let's go with that. However it could be exploitable through automatic indexing in Tracker, so I'm kind of on the fence about that.

comment:4 by Bruce Dubbs, 5 months ago

Priority: highelevated

comment:5 by Douglas R. Reno, 5 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r24214

Note: See TracTickets for help on using tickets.