Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-28650

Published: 17 March 2021

autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.

Priority

Medium

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
gnome-autoar
Launchpad, Ubuntu, Debian 		bionic
Released (0.2.3-1ubuntu0.3)
focal
Released (0.2.3-2ubuntu0.3)
groovy
Released (0.2.4-2ubuntu0.3)
hirsute Not vulnerable
(0.3.1-1)
trusty Does not exist

upstream
Released (0.3.1-1)
xenial Does not exist

Patches:
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/merge_requests/15/commits
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/f4792b2178c7eec5351eca9b2d8d19c884af7ba3
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/f2175bd3a8604c433129d2f39a7dcb71170d646f
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/b5c8efcd87afa8e40d87c8e54ba446298da9136d
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/9ba3d2da6818ccab92197a66a5356daa23c1604d
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/2955faea3dddbeea7c8b2e64e1a7efebdc64f430
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/f26d32e02d04ed6686ec9e2af737f0a6258c582c
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/88e21e8aa2841216fa1d7fba617a8692912af51e
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/c4b0b9c9b6522058dc43ee817b0e0bbd1f030617
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/7f2e1868df66342abd1bb9f456df2b8d5668ef2f
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/2c8d16395cd9b493d21fa5c33da58339089fd723
upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/32957ff7841c57cc1d95f7acafab6292407f462e

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading