autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241. Reference and upstream patch: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4
Created gnome-autoar tracking bugs for this issue: Affects: fedora-all [bug 1940027]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4381 https://access.redhat.com/errata/RHSA-2021:4381
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28650