Opened 4 years ago

Closed 4 years ago

#14649 closed enhancement (fixed)

gnome-autoar-0.3.0

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version - Security Release (CVE-2020-36241)

Change History (5)

comment:1 by Douglas R. Reno, 4 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 4 years ago

News
====

* Recognize MIME type aliases of extractable archives (Hernawan Fa'iz Abdillah)
* Add extraction support for password-protected archives (Felipe Borges)
* CVE-2020-36241: Prevent extraction outside the destination dir (Ondrej Holy)

comment:3 by Douglas R. Reno, 4 years ago

From NVD

CVE-2020-36241 Detail
Current Description

autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

NVD marks it as Medium, so let's go with that. However it could be exploitable through automatic indexing in Tracker, so I'm kind of on the fence about that.

comment:4 by Bruce Dubbs, 4 years ago

Priority: highelevated

comment:5 by Douglas R. Reno, 4 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r24214

Note: See TracTickets for help on using tickets.