Bug 1181930 (CVE-2020-36241)

Summary: VUL-1: CVE-2020-36241: gnome-autoar: directory traversal via a malicious archive that contains a file whose parent is a symbolic link which points outside of the destination directory
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: gnome-bugs, smash_bz, yfjiang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/277337/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-36241:3.9:(AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2021-02-08 09:55:54 UTC
CVE-2020-36241

autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

Reference:
https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7

Upstream patch:
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1925640
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36241
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
Comment 1 Alexandros Toptsoglou 2021-02-08 09:58:03 UTC
Tracked SLE12-SP3 and SLE-15 as affected. The POC seems deleted. All the related links for the fix and the upstream issue in comment 0
Comment 3 Alynx Zhou 2021-02-22 02:57:04 UTC
https://build.suse.de/request/show/236420
SR to Devel:Desktop:SLE12:SP3
Comment 4 Alynx Zhou 2021-02-22 06:52:59 UTC
https://build.suse.de/request/show/236429
SR to Devel:Desktop:SLE15
Comment 5 Alynx Zhou 2021-02-24 07:32:27 UTC
https://build.suse.de/request/show/236627
SR to SLE-15
Comment 6 Alynx Zhou 2021-02-24 07:38:59 UTC
https://build.suse.de/request/show/236628
SR to SLE-12-SP3
Comment 7 Alynx Zhou 2021-02-25 07:53:42 UTC
Those SR were merged, assign to security team
Comment 8 Swamp Workflow Management 2021-03-01 20:16:26 UTC
SUSE-SU-2021:0664-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1181930
CVE References: CVE-2020-36241
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    gnome-autoar-0.2.2-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-03-02 23:19:30 UTC
SUSE-SU-2021:0687-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1181930
CVE References: CVE-2020-36241
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    gnome-autoar-0.2.3-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-03-06 08:16:45 UTC
openSUSE-SU-2021:0390-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1181930
CVE References: CVE-2020-36241
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    gnome-autoar-0.2.3-lp152.4.3.1