Bug 1181930 (CVE-2020-36241) - VUL-1: CVE-2020-36241: gnome-autoar: directory traversal via a malicious archive that contains a file whose parent is a symbolic link which points outside of the destination directory
Summary: VUL-1: CVE-2020-36241: gnome-autoar: directory traversal via a malicious arch...
Status: RESOLVED FIXED
Alias: CVE-2020-36241
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/277337/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-36241:3.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-08 09:55 UTC by Alexandros Toptsoglou
Modified: 2024-05-14 11:07 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2021-02-08 09:55:54 UTC 
CVE-2020-36241

autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

Reference:
https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7

Upstream patch:
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1925640
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36241
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
Comment 1 Alexandros Toptsoglou 2021-02-08 09:58:03 UTC 
Tracked SLE12-SP3 and SLE-15 as affected. The POC seems deleted. All the related links for the fix and the upstream issue in comment 0
Comment 3 Alynx Zhou 2021-02-22 02:57:04 UTC 
https://build.suse.de/request/show/236420
SR to Devel:Desktop:SLE12:SP3
Comment 4 Alynx Zhou 2021-02-22 06:52:59 UTC 
https://build.suse.de/request/show/236429
SR to Devel:Desktop:SLE15
Comment 5 Alynx Zhou 2021-02-24 07:32:27 UTC 
https://build.suse.de/request/show/236627
SR to SLE-15
Comment 6 Alynx Zhou 2021-02-24 07:38:59 UTC 
https://build.suse.de/request/show/236628
SR to SLE-12-SP3
Comment 7 Alynx Zhou 2021-02-25 07:53:42 UTC 
Those SR were merged, assign to security team
Comment 8 Swamp Workflow Management 2021-03-01 20:16:26 UTC 
SUSE-SU-2021:0664-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1181930
CVE References: CVE-2020-36241
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    gnome-autoar-0.2.2-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-03-02 23:19:30 UTC 
SUSE-SU-2021:0687-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1181930
CVE References: CVE-2020-36241
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    gnome-autoar-0.2.3-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-03-06 08:16:45 UTC 
openSUSE-SU-2021:0390-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1181930
CVE References: CVE-2020-36241
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    gnome-autoar-0.2.3-lp152.4.3.1