Ubuntu GNOME Path Traversal

Bug #1901240 reported by Yiğit Can Yılmaz
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-autoar (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Summary:
A malicious package may be able to overwrite arbitrary files

Proof of concept:
1- Download "example.tar"
2- Click on the right button on a mouse (on "example.tar")
3- Click "Extract Here"
4- Check the "/tmp" path for "test" file

Version:
Ubuntu 20.04.1
GNOME Files 3.36.3-stable

CVE References

Revision history for this message
Yiğit Can Yılmaz (yigitcanyilmaz) wrote :
Revision history for this message
Yiğit Can Yılmaz (yigitcanyilmaz) wrote :
Alex Murray (alexmurray)
affects: ubuntu → nautilus (Ubuntu)
Revision history for this message
Alex Murray (alexmurray) wrote :

nautilus (which provides the 'Extract here') uses gnome-autoar under the hood to perform the extraction so assigning this bug to that.

affects: nautilus (Ubuntu) → gnome-autoar (Ubuntu)
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for the bug report - since this likely affects gnome-autoar upstream, have you also reported this issue to the upstream GNOME developers? If not, this can be done via https://security.gnome.org/

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi, have you reported this issue to the upstream gnome-autoar developers yet?

Revision history for this message
Yiğit Can Yılmaz (yigitcanyilmaz) wrote :

Yes, reported.

Revision history for this message
Yiğit Can Yılmaz (yigitcanyilmaz) wrote :

It's reported with https://security.gnome.org/ form.

Revision history for this message
Alex Murray (alexmurray) wrote :

Has there been any update from the GNOME developers? Have they responded to the report? Please keep us informed of any updates/changes, thanks!

Revision history for this message
Yiğit Can Yılmaz (yigitcanyilmaz) wrote :

Hello,
GNOME developers verified this issue and working addressing this issue. I'll update you.

Thank you,

Steve Beattie (sbeattie)
Changed in gnome-autoar (Ubuntu):
status: New → Confirmed
Revision history for this message
Yiğit Can Yılmaz (yigitcanyilmaz) wrote :

Hello,
This issue has been fixed.

CVE ID:
CVE-2020-36241

Thank you,

Revision history for this message
Steve Beattie (sbeattie) wrote :

Upstream issue: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 and associated fix https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429

Given that this is public upstream, I'm going to open this issue ap as well.

information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-autoar - 0.2.4-2ubuntu0.1

---------------
gnome-autoar (0.2.4-2ubuntu0.1) groovy-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue (LP: #1901240)
    - debian/patches/CVE-2020-36241.patch: do not extract files outside the
      destination dir in gnome-autoar/autoar-extractor.c.
    - CVE-2020-36241

 -- Marc Deslauriers <email address hidden> Wed, 10 Feb 2021 13:55:36 -0500

Changed in gnome-autoar (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-autoar - 0.2.3-2ubuntu0.1

---------------
gnome-autoar (0.2.3-2ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue (LP: #1901240)
    - debian/patches/CVE-2020-36241.patch: do not extract files outside the
      destination dir in gnome-autoar/autoar-extractor.c.
    - CVE-2020-36241

 -- Marc Deslauriers <email address hidden> Wed, 10 Feb 2021 13:59:00 -0500

Changed in gnome-autoar (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-autoar - 0.2.3-1ubuntu0.1

---------------
gnome-autoar (0.2.3-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue (LP: #1901240)
    - debian/patches/CVE-2020-36241.patch: do not extract files outside the
      destination dir in gnome-autoar/autoar-extractor.c.
    - CVE-2020-36241

 -- Marc Deslauriers <email address hidden> Wed, 10 Feb 2021 13:59:35 -0500

Changed in gnome-autoar (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.