CVE-2020-36241

Name
CVE-2020-36241
Description
autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
Exploit https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ/
GENTOO https://security.gentoo.org/glsa/202105-10

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnome:gnome-autoar:*:*:*:*:*:*:*:* gnome-autoar >= None <= 0.2.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
gnome-autoar edge-community 0.3.1-r0 Rasmus Thomsen <oss@cogitri.dev> fixed
gnome-autoar 3.22-community 0.3.1-r0 None fixed
gnome-autoar 3.21-community 0.3.1-r0 None fixed
gnome-autoar 3.20-community 0.3.1-r0 None fixed
gnome-autoar 3.19-community 0.3.1-r0 None fixed
gnome-autoar 3.18-community 0.3.1-r0 None fixed
gnome-autoar 3.17-community 0.3.1-r0 None fixed