Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 777126 (CVE-2021-28650) - <app-arch/gnome-autoar-0.3.1: Directory traversal (CVE-2021-28650)
Summary: <app-arch/gnome-autoar-0.3.1: Directory traversal (CVE-2021-28650)
Status: RESOLVED FIXED
Alias: CVE-2021-28650
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-19 03:50 UTC by Sam James
Modified: 2021-05-26 08:32 UTC (History)
1 user (show)

See Also:
Package list:
app-arch/gnome-autoar-0.3.1
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-19 03:50:20 UTC 
Description:
"autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241."

Patch: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
Comment 1 Larry the Git Cow gentoo-dev 2021-03-21 00:33:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51c21938ec3fde06d235145eb7f39bc2d7002869

commit 51c21938ec3fde06d235145eb7f39bc2d7002869
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-03-20 23:40:58 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-03-20 23:43:19 +0000

    app-arch/gnome-autoar: Version bump to 0.3.1
    
    Bug: https://bugs.gentoo.org/777126
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 app-arch/gnome-autoar/Manifest                  |  1 +
 app-arch/gnome-autoar/gnome-autoar-0.3.1.ebuild | 43 +++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-21 01:13:32 UTC 
Thank you! Please proceed with stabilization when ready.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-28 05:43:34 UTC 
Ping
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-28 18:14:49 UTC 
arm64 done
Comment 5 Agostino Sarubbo gentoo-dev 2021-03-29 11:51:13 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2021-03-29 14:16:07 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Larry the Git Cow gentoo-dev 2021-03-29 15:23:08 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8089d0f5e111b06dc93296016f2bdde74d354c8e

commit 8089d0f5e111b06dc93296016f2bdde74d354c8e
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-03-29 15:22:35 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-03-29 15:22:55 +0000

    app-arch/gnome-autoar: Drop old versions
    
    Bug: https://bugs.gentoo.org/777126
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 app-arch/gnome-autoar/Manifest                  |  1 -
 app-arch/gnome-autoar/gnome-autoar-0.3.0.ebuild | 43 -------------------------
 2 files changed, 44 deletions(-)
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-29 15:29:10 UTC 
Thanks!
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-25 21:17:51 UTC 
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:32:06 UTC 
This issue was resolved and addressed in
 GLSA 202105-10 at https://security.gentoo.org/glsa/202105-10
by GLSA coordinator Thomas Deutschmann (whissi).