Source: gnome-autoar Version: 0.2.4-2 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.2.3-2
Hi, The following vulnerability was published for gnome-autoar. CVE-2020-36241[0]: | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by | GNOME Shell, Nautilus, and other software, allows Directory Traversal | during extraction because it lacks a check of whether a file's parent | is a symlink to a directory outside of the intended extraction | location. If possible this ideally should be fixed in bullseye in time. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-36241 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36241 [1] https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429 [2] https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 Regards, Salvatore
