autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. Reference: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 Upstream patch: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
Created gnome-autoar tracking bugs for this issue: Affects: fedora-all [bug 1925641]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4381 https://access.redhat.com/errata/RHSA-2021:4381
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-36241