CVE-2021-28650

autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.

References

Affected packages

Debian:11 / gnome-autoar

Package

Name: gnome-autoar
Purl: pkg:deb/debian/gnome-autoar?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.2.4-3

0.3.0-1

0.3.1-1

0.3.2-1

0.3.3-1

0.4.0-1

0.4.1-1

0.4.2-1

0.4.3-1

0.4.4-1

0.4.4-2

0.4.5-1

0.4.5-2

0.4.5-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / gnome-autoar

Package

Name: gnome-autoar
Purl: pkg:deb/debian/gnome-autoar?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / gnome-autoar

Package

Name: gnome-autoar
Purl: pkg:deb/debian/gnome-autoar?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / gnome-autoar

Package

Name: gnome-autoar
Purl: pkg:deb/debian/gnome-autoar?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / gitlab.gnome.org/GNOME/gnome-autoar

Affected ranges

Type: GIT
Repo: https://gitlab.gnome.org/GNOME/gnome-autoar
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8109c368c6cfdb593faaf698c2bf5da32bb1ace4

Affected versions

0.*

0.1.0

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.3.0

Database specific

{
    "vanir_signatures": [
        {
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://gitlab.gnome.org/GNOME/gnome-autoar@8109c368c6cfdb593faaf698c2bf5da32bb1ace4",
            "signature_version": "v1",
            "target": {
                "function": "autoar_extractor_check_file_conflict",
                "file": "gnome-autoar/autoar-extractor.c"
            },
            "digest": {
                "function_hash": "99373367613554809577081196480085047086",
                "length": 284.0
            },
            "id": "CVE-2021-28650-070f0175"
        },
        {
            "signature_type": "Line",
            "deprecated": false,
            "source": "https://gitlab.gnome.org/GNOME/gnome-autoar@8109c368c6cfdb593faaf698c2bf5da32bb1ace4",
            "signature_version": "v1",
            "target": {
                "file": "gnome-autoar/autoar-extractor.c"
            },
            "digest": {
                "line_hashes": [
                    "202873567088741737755139773778856684414",
                    "253786553022999834027812518448673111945",
                    "86261100617153731251853289598727974625",
                    "160936512739695133357499748907602668169",
                    "137374394736149040872317987219553189945",
                    "270732997768496155435744769357381582851",
                    "244127320031209311580005316087106093783",
                    "157603545734204621894498381227191520218",
                    "231909359212710678941792030726133514565",
                    "322724400400682001161733752636446320027",
                    "148762820276148228685341759328016027759",
                    "80526361010997095919849916967872224147",
                    "45654882263623040256181518074595264081",
                    "290449237765823922557442662957704297919",
                    "143508716903283642467802267094980547991",
                    "253341687466085229640557304141302650248",
                    "105135349804760838859480469610730392589",
                    "240226979070748456517245327310687153925",
                    "339279520886571069745447021750983878169",
                    "145062458361469922140567365199213942456",
                    "240666612790968850778280645138938878176",
                    "85682285750154980863096319146138418682",
                    "276989541056842942275151211316468774779",
                    "10958260111633119823476386537609705369",
                    "112240283909046655480806255810305227124",
                    "171209949003521789335708262986558689800",
                    "94354684989209136025792448985348421424",
                    "313182116061384494489975579325336736942",
                    "172040966644835096366579898560909236132",
                    "226674900431117975290627699646407248066",
                    "216325880258227678019308110977562702078",
                    "56216488792594233498650375158183283213",
                    "173766603905420724977676456036425120486",
                    "301181788405733540170702592044020477872"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2021-28650-1ba0da16"
        },
        {
            "signature_type": "Function",
            "deprecated": false,
            "source": "https://gitlab.gnome.org/GNOME/gnome-autoar@8109c368c6cfdb593faaf698c2bf5da32bb1ace4",
            "signature_version": "v1",
            "target": {
                "function": "autoar_extractor_step_extract",
                "file": "gnome-autoar/autoar-extractor.c"
            },
            "digest": {
                "function_hash": "10935086851531793748285076384108417827",
                "length": 1996.0
            },
            "id": "CVE-2021-28650-d12469aa"
        }
    ]
}