CVE-2021-28650

Published: 17 March 2021

autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
gnome-autoar
Launchpad, Ubuntu, Debian
Upstream
Released (0.3.1-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(0.3.1-1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (0.2.3-2ubuntu0.3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.2.3-1ubuntu0.3)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/merge_requests/15/commits
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/f4792b2178c7eec5351eca9b2d8d19c884af7ba3 (bp)
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/f2175bd3a8604c433129d2f39a7dcb71170d646f (bp)
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/b5c8efcd87afa8e40d87c8e54ba446298da9136d (bp)
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/9ba3d2da6818ccab92197a66a5356daa23c1604d (bp)
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/2955faea3dddbeea7c8b2e64e1a7efebdc64f430 (bp)
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/f26d32e02d04ed6686ec9e2af737f0a6258c582c (bp)
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/88e21e8aa2841216fa1d7fba617a8692912af51e (bp)
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/c4b0b9c9b6522058dc43ee817b0e0bbd1f030617 (bp)
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/7f2e1868df66342abd1bb9f456df2b8d5668ef2f (bp)
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/2c8d16395cd9b493d21fa5c33da58339089fd723
Upstream: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/32957ff7841c57cc1d95f7acafab6292407f462e (tests)