{"id":"CVE-2021-28650","details":"autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.","modified":"2026-03-14T10:53:46.099681Z","published":"2021-03-17T06:15:14.640Z","related":["ALSA-2021:4381","MGASA-2021-0274","openSUSE-SU-2024:10795-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202105-10"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/gnome-autoar","events":[{"introduced":"0"},{"fixed":"a1b7bb873b3d6ef05cf001e881d1aa8ff8efabea"},{"fixed":"8109c368c6cfdb593faaf698c2bf5da32bb1ace4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.3.1"}]}}],"versions":["0.1.0","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.3.0"],"database_specific":{"vanir_signatures":[{"target":{"function":"autoar_extractor_check_file_conflict","file":"gnome-autoar/autoar-extractor.c"},"id":"CVE-2021-28650-070f0175","signature_version":"v1","deprecated":false,"digest":{"function_hash":"99373367613554809577081196480085047086","length":284},"source":"https://gitlab.gnome.org/GNOME/gnome-autoar@8109c368c6cfdb593faaf698c2bf5da32bb1ace4","signature_type":"Function"},{"target":{"file":"gnome-autoar/autoar-extractor.c"},"id":"CVE-2021-28650-1ba0da16","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["202873567088741737755139773778856684414","253786553022999834027812518448673111945","86261100617153731251853289598727974625","160936512739695133357499748907602668169","137374394736149040872317987219553189945","270732997768496155435744769357381582851","244127320031209311580005316087106093783","157603545734204621894498381227191520218","231909359212710678941792030726133514565","322724400400682001161733752636446320027","148762820276148228685341759328016027759","80526361010997095919849916967872224147","45654882263623040256181518074595264081","290449237765823922557442662957704297919","143508716903283642467802267094980547991","253341687466085229640557304141302650248","105135349804760838859480469610730392589","240226979070748456517245327310687153925","339279520886571069745447021750983878169","145062458361469922140567365199213942456","240666612790968850778280645138938878176","85682285750154980863096319146138418682","276989541056842942275151211316468774779","10958260111633119823476386537609705369","112240283909046655480806255810305227124","171209949003521789335708262986558689800","94354684989209136025792448985348421424","313182116061384494489975579325336736942","172040966644835096366579898560909236132","226674900431117975290627699646407248066","216325880258227678019308110977562702078","56216488792594233498650375158183283213","173766603905420724977676456036425120486","301181788405733540170702592044020477872"]},"source":"https://gitlab.gnome.org/GNOME/gnome-autoar@8109c368c6cfdb593faaf698c2bf5da32bb1ace4","signature_type":"Line"},{"target":{"function":"autoar_extractor_step_extract","file":"gnome-autoar/autoar-extractor.c"},"id":"CVE-2021-28650-d12469aa","signature_version":"v1","deprecated":false,"digest":{"function_hash":"10935086851531793748285076384108417827","length":1996},"source":"https://gitlab.gnome.org/GNOME/gnome-autoar@8109c368c6cfdb593faaf698c2bf5da32bb1ace4","signature_type":"Function"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"34"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28650.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}