It was found that gcab did not correctly filter leading slashes from paths in CAB files, leading to a directory traversal flaw. Upstream report: https://bugzilla.gnome.org/show_bug.cgi?id=742331 Upstream patch: https://bug742331.bugzilla-attachments.gnome.org/attachment.cgi?id=293730 CVE request and assignment: http://seclists.org/oss-sec/2015/q1/54
Created gcab tracking bugs for this issue: Affects: fedora-all [bug 1179127]
gcab-0.4-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.