PublicDateAtUSN: 2021-03-17 06:15:00 UTC Candidate: CVE-2021-28650 PublicDate: 2021-03-17 06:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28650 https://ubuntu.com/security/notices/USN-4937-1 Description: autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241. Ubuntu-Description: Notes: Mitigation: Bugs: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/12 Priority: medium Discovered-by: Ondrej Holy Assigned-to: mdeslaur CVSS: nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM] Patches_gnome-autoar: upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/merge_requests/15/commits upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/f4792b2178c7eec5351eca9b2d8d19c884af7ba3 (bp) upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/f2175bd3a8604c433129d2f39a7dcb71170d646f (bp) upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/b5c8efcd87afa8e40d87c8e54ba446298da9136d (bp) upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/9ba3d2da6818ccab92197a66a5356daa23c1604d (bp) upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/2955faea3dddbeea7c8b2e64e1a7efebdc64f430 (bp) upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/f26d32e02d04ed6686ec9e2af737f0a6258c582c (bp) upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/88e21e8aa2841216fa1d7fba617a8692912af51e (bp) upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/c4b0b9c9b6522058dc43ee817b0e0bbd1f030617 (bp) upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/7f2e1868df66342abd1bb9f456df2b8d5668ef2f (bp) upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4 upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/2c8d16395cd9b493d21fa5c33da58339089fd723 upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/32957ff7841c57cc1d95f7acafab6292407f462e (tests) upstream_gnome-autoar: released (0.3.1-1) precise/esm_gnome-autoar: DNE trusty_gnome-autoar: ignored (out of standard support) trusty/esm_gnome-autoar: DNE xenial_gnome-autoar: DNE bionic_gnome-autoar: released (0.2.3-1ubuntu0.3) focal_gnome-autoar: released (0.2.3-2ubuntu0.3) groovy_gnome-autoar: released (0.2.4-2ubuntu0.3) hirsute_gnome-autoar: not-affected (0.3.1-1) devel_gnome-autoar: not-affected (0.3.1-1)