CVE-2020-36241

autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

References

Affected packages

Git / gitlab.gnome.org/GNOME/gnome-autoar

Affected ranges

Type: GIT
Repo: https://gitlab.gnome.org/GNOME/gnome-autoar
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

adb067e645732fdbe7103516e506d09eb6a54429

Affected versions

0.*

0.1.0

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "gnome-autoar/autoar-extractor.c"
        },
        "signature_type": "Line",
        "id": "CVE-2020-36241-90123b5a",
        "deprecated": false,
        "source": "https://gitlab.gnome.org/GNOME/gnome-autoar@adb067e645732fdbe7103516e506d09eb6a54429",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "94510898510571848284447201167557315840",
                "291751441778175078435633809414441284861",
                "305296361726674130796305330674483032050",
                "195565424563935462210525169179108455864",
                "168030673825739162384362560831749311368",
                "30777879245771735981576219745571511781",
                "339793815370767424507662154728671645876",
                "180184541569882252301577126833340478889",
                "308321769922974972072547619953000740725",
                "161871281745078997866551374814723564870",
                "21604273146557722137035100087837420025",
                "221232525563350166443387085982224984543",
                "281066111113771298228879962071224205092",
                "102773212660540425695610677929274022639",
                "119395621941297082000907750033329231255",
                "120609688874084817082113858184529319438",
                "257217748597140759098017040221787760200",
                "227263811683321015476274881989598310222",
                "324519438734321141026318171076938444929",
                "140328084680840104229000457395009919196",
                "269752536719158915855778709943350993411",
                "242872673489203345292226906555426676966",
                "250385453574992487941271407877065146885",
                "286719229948322879210516664771645431988",
                "195585270677884706506398692188729405413",
                "318302301378571833162256803508503237535",
                "218613929765143664786918174601108679533",
                "139086422860005508288358691278789790848",
                "10958260111633119823476386537609705369",
                "112240283909046655480806255810305227124"
            ]
        }
    },
    {
        "target": {
            "function": "autoar_extractor_do_sanitize_pathname",
            "file": "gnome-autoar/autoar-extractor.c"
        },
        "signature_type": "Function",
        "id": "CVE-2020-36241-b3246012",
        "deprecated": false,
        "source": "https://gitlab.gnome.org/GNOME/gnome-autoar@adb067e645732fdbe7103516e506d09eb6a54429",
        "signature_version": "v1",
        "digest": {
            "function_hash": "86722810029506322070584222437282053320",
            "length": 776.0
        }
    },
    {
        "target": {
            "function": "autoar_extractor_step_extract",
            "file": "gnome-autoar/autoar-extractor.c"
        },
        "signature_type": "Function",
        "id": "CVE-2020-36241-d7cc0b30",
        "deprecated": false,
        "source": "https://gitlab.gnome.org/GNOME/gnome-autoar@adb067e645732fdbe7103516e506d09eb6a54429",
        "signature_version": "v1",
        "digest": {
            "function_hash": "19643074148477484914099050631703047409",
            "length": 1788.0
        }
    }
]