Your message dated Mon, 08 Mar 2021 12:48:40 +0000
with message-id <[email protected]>
and subject line Bug#982737: fixed in gnome-autoar 0.2.4-3
has caused the Debian Bug report #982737,
regarding gnome-autoar: CVE-2020-36241
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
982737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982737
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnome-autoar
Version: 0.2.4-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 0.2.3-2
Hi,
The following vulnerability was published for gnome-autoar.
CVE-2020-36241[0]:
| autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by
| GNOME Shell, Nautilus, and other software, allows Directory Traversal
| during extraction because it lacks a check of whether a file's parent
| is a symlink to a directory outside of the intended extraction
| location.
If possible this ideally should be fixed in bullseye in time.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-36241
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36241
[1]
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
[2] https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gnome-autoar
Source-Version: 0.2.4-3
Done: Sebastien Bacher <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gnome-autoar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Bacher <[email protected]> (supplier of updated gnome-autoar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 08 Mar 2021 13:26:20 +0100
Source: gnome-autoar
Architecture: source
Version: 0.2.4-3
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Sebastien Bacher <[email protected]>
Closes: 982737
Changes:
gnome-autoar (0.2.4-3) unstable; urgency=high
.
* debian/patches/CVE-2020-36241.patch:
- backport the change for CVE-2020-36241 and a follow up fix for a
regression in the initial change (Closes: #982737)
Checksums-Sha1:
c5ead7601ec4da2fe12ea2798590decf73ade54a 2721 gnome-autoar_0.2.4-3.dsc
3d98524e309af1f7c70613e0ff2d094d6027ec52 6028
gnome-autoar_0.2.4-3.debian.tar.xz
088e5d12a7c50d589c6bb39effc1873fe97b32b7 17790
gnome-autoar_0.2.4-3_source.buildinfo
Checksums-Sha256:
45b714609228aa571bedfac10c9bf431b7c8f21b6ed4d633cc7c7445cc11018d 2721
gnome-autoar_0.2.4-3.dsc
36040120ba9601e934a6ed8120f814323dec4fc0b89a6b131a2ab523b3f0db65 6028
gnome-autoar_0.2.4-3.debian.tar.xz
3716e9b4a451386f9162c27eede7cdae36b3a9b63cd07bf442d3e566ab6ac632 17790
gnome-autoar_0.2.4-3_source.buildinfo
Files:
1027b4dc545f59b722bbf16699593713 2721 libs optional gnome-autoar_0.2.4-3.dsc
919156487daf42d614f483977c27e7ac 6028 libs optional
gnome-autoar_0.2.4-3.debian.tar.xz
0a3eb485015cff64aba28d55be0343e9 17790 libs optional
gnome-autoar_0.2.4-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEERyS4b0fgKRXe6kniPr1EkD7bBJYFAmBGGD0ACgkQPr1EkD7b
BJbSLQ/+LMm2rdFqHWfVeENU8oLTiUFt79GNsRcFvW3j+unHn/fhogn/whBPpsqO
TbgkCN0j/a5IPgvDSNI+eui/p8gcHU7GI1oidg+epYqrt0EmD30YVbdg3t/C0vSm
5WLX+0UZI/xtm+iPWXxdIWKr1b9bkYfhehVfMn0yYQY7V7f7KrMIZcJCE+v9CP20
RJTI4MDHEKo5Ot8mfRiX+K5/wXm2Ua45yxPpv88Lj2v9mxCNf6ermBgwjW42bUzf
Q/78IJ2rREqCBiBrLTn0vyv+gM2RVRxoA2IrHpV3U/+dF8ODJifpUT6hG/xjpyOF
Ztzx4uMB3HlXTwqGwsXW9dWdbO75GCQ9qklxT05c9NtP9CdgXqq60ULYbpw+JSmo
O6Y2B5MVIwT9dozDZhjZrFe/VPbstQEgLIC9q0xVEfyBF5MX6o/n46VXNhqwpp5E
xzXC7eVwJcgKpyVDi0InSveU4V3ZCXZKru49B5CGsZSP75nBfUkejx6D+8ocHQuo
i7/R6oAhPyBCEO+Zqc8QMElDgpqdWiF0xhlqjCJBFxmjWeKsK3aMTisnwqzim9Uh
oaLgLL2Cj3t870tyNEjIAOCpjUeJJEv5cVt42VnJca3BYqDO9+rN+qDUF0hpK+Mo
q5I1osc7gcBr52AVl5Vwtsb/fVaZm5fc/YtZJY0bFbEXis1i3bk=
=6oN/
-----END PGP SIGNATURE-----
--- End Message ---
