768828 – (CVE-2020-36241) <app-arch/gnome-autoar-0.3.0: Directory traversal (CVE-2020-36241)

Bug 768828 (CVE-2020-36241) - <app-arch/gnome-autoar-0.3.0: Directory traversal (CVE-2020-36241)

Summary: <app-arch/gnome-autoar-0.3.0: Directory traversal (CVE-2020-36241)

Status:	RESOLVED FIXED

Alias:	CVE-2020-36241

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://gitlab.gnome.org/GNOME/gnome-...
Whiteboard:	A2 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-02-05 08:51 UTC by Sam James
Modified:	2021-05-26 08:32 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2021-28650
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-02-05 08:51:57 UTC

Description:
"autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location."

Bug: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7

Patch: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429

Not yet in a release.

Comment 1 Larry the Git Cow gentoo-dev

2021-02-14 21:42:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5d84331184db5b9158f96f5988ec0aecc239968

commit a5d84331184db5b9158f96f5988ec0aecc239968
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-02-14 21:40:41 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-02-14 21:42:37 +0000

    app-arch/gnome-autoar: security bump to 0.3.0
    
    Bug: https://bugs.gentoo.org/768828
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 app-arch/gnome-autoar/Manifest                  |  1 +
 app-arch/gnome-autoar/gnome-autoar-0.3.0.ebuild | 43 +++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

Comment 2 Sam James archtester

2021-02-15 00:33:50 UTC

amd64 done

Comment 3 Sam James archtester

2021-02-16 12:26:55 UTC

x86 done

Comment 4 Sam James archtester

2021-02-17 03:56:16 UTC

arm64 done

all arches done

Comment 5 Sam James archtester

2021-02-17 04:05:27 UTC

Please cleanup, thanks!

Comment 6 Larry the Git Cow gentoo-dev

2021-02-18 22:19:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edf2666a6b93762b002011d9f707fd8ff5f92da2

commit edf2666a6b93762b002011d9f707fd8ff5f92da2
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2021-02-18 22:18:42 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2021-02-18 22:19:11 +0000

    app-arch/gnome-autoar: security cleanup
    
    Bug: https://bugs.gentoo.org/768828
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 app-arch/gnome-autoar/Manifest                  |  1 -
 app-arch/gnome-autoar/gnome-autoar-0.2.4.ebuild | 43 -------------------------
 2 files changed, 44 deletions(-)

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 21:22:40 UTC

Added to an existing GLSA request.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2021-05-26 08:32:03 UTC

This issue was resolved and addressed in
 GLSA 202105-10 at https://security.gentoo.org/glsa/202105-10
by GLSA coordinator Thomas Deutschmann (whissi).