Hi, On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote: > Source: gnome-autoar > Version: 0.2.4-2 > Severity: important > Tags: security upstream > Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 0.2.3-2 > > Hi, > > The following vulnerability was published for gnome-autoar. > > CVE-2020-36241[0]: > | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by > | GNOME Shell, Nautilus, and other software, allows Directory Traversal > | during extraction because it lacks a check of whether a file's parent > | is a symlink to a directory outside of the intended extraction > | location. > > If possible this ideally should be fixed in bullseye in time.
Would it be possible to cherry-pick the fix so we have the fix included in bullseye? Regards, Salvatore