Hi Salvatore Am 01.03.21 um 10:57 schrieb Salvatore Bonaccorso:
Hi,On Sat, Feb 13, 2021 at 07:33:00PM +0100, Salvatore Bonaccorso wrote:Source: gnome-autoar Version: 0.2.4-2 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.2.3-2 Hi, The following vulnerability was published for gnome-autoar. CVE-2020-36241[0]: | autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by | GNOME Shell, Nautilus, and other software, allows Directory Traversal | during extraction because it lacks a check of whether a file's parent | is a symlink to a directory outside of the intended extraction | location. If possible this ideally should be fixed in bullseye in time.Would it be possible to cherry-pick the fix so we have the fix included in bullseye?
Seems reasonable. That said, I haven't really done any GNOME related uploads for quite a while.
Regards, Michael
OpenPGP_signature
Description: OpenPGP digital signature