Ubuntu has issued an advisory on May 6: https://ubuntu.com/security/notices/USN-4937-1 Mageia 7 is also affected.
Source RPM: (none) => gnome-autoar-0.2.4-2.1.mga8.src.rpmWhiteboard: (none) => MGA7TOO
Hi, thanks for reporting this. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CVE: (none) => CVE-2021-28650CC: (none) => geiger.david68210, olav, ouaurelienAssignee: bugsquad => pkg-bugs
Assignee: pkg-bugs => gnome
Also the previous update (Bug 28454) introduced a regression, fixed here: https://ubuntu.com/security/notices/USN-4733-2
Fedora has issued an advisory for this on March 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2T2WNK5MCCXX7Y5LGNP6SJYIBL7ADKHD/ The issue is fixed upstream in 0.3.1.
Status comment: (none) => Fixed upstream in 0.3.1
Done for mga8 and mga7!
RPMS: libgnome-autoar0_0-0.3.1-1.mga7 libgnome-autoar-gir0.1-0.3.1-1.mga7 libgnome-autoar-devel-0.3.1-1.mga7 libgnome-autoar0_0-0.3.1-1.mga8 libgnome-autoar-gir0.1-0.3.1-1.mga8 libgnome-autoar-devel-0.3.1-1.mga8 from SRPMS: gnome-autoar-0.3.1-1.mga7.src.rpm gnome-autoar-0.3.1-1.mga8.src.rpm
Status comment: Fixed upstream in 0.3.1 => (none)Assignee: gnome => qa-bugs
MGA7-64 Plasma on Lenovo B50 An installation snag: wwhen in MCC first selecting libgnome-autoar-gir0.1-0.3.1-1.mga7, MCC complains on missing libgnome-autoar0_0-0.3.1-1.mga7. First selectng the latter, then the former, all is OK. Is this a dependency missing??? # urpmq --whatrequires lib64gnome-autoar0_0 evolution gnome-recipes and some more, installed gnome-recipes and run it as $ strace -o lib64gnomeautoar.txt gnome-recipes Look at one recipe, open the dialogue for a new recipe, close . Checked the trace, find reference to te library, so seems to work OK. I leave it to the higher powers whether this update can go, or the dependency needs mending. I will not object the OK.
CC: (none) => herman.viaene
@Herman with regard to comment 6. I installed the three packages manually (one was already installed) without any problem so I think you can give this the OK - installed serially with libgnome-autoar0_0 first. (I have not tried updating yet) Treading on your toes to have a look at the PoC. mga7, x64 CVE-2020-36241 https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 CVE-2021-28650 If I understand this correctly the issue was not fully fixed by the first patch and needed further treatment. Downloaded the linktotmp.tar file. Ran nautilus to extract the contents of the tar file. gtar reported an error, no such file /tmp/foo, but a symbolic link was created pointing to /tmp. $ unlink tmplink Updated packages. Ran the extraction test on the poc file, which did exactly as before and created the tmplink symbolic link to /tmp and no /tmp/foo file. This may be the required behaviour - I have not quite worked it out yet. If it is then the issue is fixed. Anyway you should go ahead and OK the update Herman.
CC: (none) => tarazed25
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
MGA7-64 Plasma on Lenovo B50 No installation issues. Same test as in Comment 6 : is OK.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: ======================== Updated gnome-autoar packages fix a security vulnerability: gnome-autoar: directory traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations (CVE-2021-28650). Also the previous update (Bug 28454) introduced a regression, fixed here. References: - https://bugs.mageia.org/show_bug.cgi?id=28884 - https://bugs.mageia.org/show_bug.cgi?id=28454 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28650 - https://ubuntu.com/security/notices/USN-4733-2 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2T2WNK5MCCXX7Y5LGNP6SJYIBL7ADKHD/ ======================== Updated packages in core/updates_testing: ======================== libgnome-autoar0_0-0.3.1-1.mga7 libgnome-autoar-gir0.1-0.3.1-1.mga7 libgnome-autoar-devel-0.3.1-1.mga7 libgnome-autoar0_0-0.3.1-1.mga8 libgnome-autoar-gir0.1-0.3.1-1.mga8 libgnome-autoar-devel-0.3.1-1.mga8 from SRPMS: gnome-autoar-0.3.1-1.mga7.src.rpm gnome-autoar-0.3.1-1.mga8.src.rpm
Keywords: (none) => advisory
I would use the advisory identifer MGASA-2021-0111, rather than the bug number, to refer to the previous update (and the advisory link rather than bug link as a reference).
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0274.html
Status: NEW => RESOLVEDResolution: (none) => FIXED