diff -Nru gnome-autoar-0.2.3/debian/changelog gnome-autoar-0.2.3/debian/changelog --- gnome-autoar-0.2.3/debian/changelog 2021-05-05 16:58:16.000000000 +0000 +++ gnome-autoar-0.2.3/debian/changelog 2021-06-04 11:03:33.000000000 +0000 @@ -1,3 +1,14 @@ +gnome-autoar (0.2.3-1ubuntu0.4) bionic-security; urgency=medium + + * SECURITY REGRESSION: Fix extracting one-file archives (LP: #1929304) + - debian/patches/fix_one_file_archives.patch: don't create en empty + folder when extracting with nautilus in + gnome-autoar/autoar-extractor.c. + - debian/patches/fix_one_file_archives2.patch: prevent redundant path + name handling for equal prefixes in gnome-autoar/autoar-extractor.c. + + -- Marc Deslauriers Fri, 04 Jun 2021 07:03:33 -0400 + gnome-autoar (0.2.3-1ubuntu0.3) bionic-security; urgency=medium * SECURITY UPDATE: more directory traversal issues diff -Nru gnome-autoar-0.2.3/debian/patches/fix_one_file_archives2.patch gnome-autoar-0.2.3/debian/patches/fix_one_file_archives2.patch --- gnome-autoar-0.2.3/debian/patches/fix_one_file_archives2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnome-autoar-0.2.3/debian/patches/fix_one_file_archives2.patch 2021-06-04 11:03:33.000000000 +0000 @@ -0,0 +1,31 @@ +From b9590ab77b70e74e9deffd2af6c32908dc3c5aaf Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Mon, 10 May 2021 15:01:54 +0200 +Subject: [PATCH] extractor: Prevent redundant path name handling for equal + prefixes + +Currently, redundant path name handling happens when archive files have +a common prefix and an equal destination is returned from the `decide-destination` +signal. In this case, the old prefix is removed and the new one (the equal one) +is added again. Let's detect this case and prevent the redundancy. +--- + gnome-autoar/autoar-extractor.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/gnome-autoar/autoar-extractor.c ++++ b/gnome-autoar/autoar-extractor.c +@@ -1745,9 +1745,12 @@ autoar_extractor_step_decide_destination + autoar_extractor_signal_decide_destination (self, + self->prefix, + files, +- &new_destination); ++ &self->new_prefix); + +- self->new_prefix = new_destination; ++ if (self->new_prefix && g_file_equal (self->prefix, self->new_prefix)) { ++ /* This prevents redundant path name handling later. */ ++ g_clear_object (&self->new_prefix); ++ } + } else { + autoar_extractor_signal_decide_destination (self, + self->destination_dir, diff -Nru gnome-autoar-0.2.3/debian/patches/fix_one_file_archives.patch gnome-autoar-0.2.3/debian/patches/fix_one_file_archives.patch --- gnome-autoar-0.2.3/debian/patches/fix_one_file_archives.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnome-autoar-0.2.3/debian/patches/fix_one_file_archives.patch 2021-06-04 11:03:29.000000000 +0000 @@ -0,0 +1,56 @@ +From 135053d5d3a0320891cf2e2ad4684b648bb46fc8 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Mon, 10 May 2021 15:03:08 +0200 +Subject: [PATCH] extractor: Fix extraction of one file archives + +Currently, an empty folder is created when extracting an archive over +Nautilus which contains one file with the same name as the archive. +This is because gnome-autoar always creates the top-level folder, but +the one file archive with the same name should be extracted directly +without creating additional folders. Otherwise the `conflict` signal +is emitted and Nautilus by default skips conflicting files, so only +empty folder remains after extraction. This problem have not been +unfortunately noticed by the `test-one-file-same-name` unit test due to +differences in the `decide-destination` signal handling. Let's do not +create the top-level folder at all as `g_file_make_directory_with_parents` +is used later anyway. + +Fixes: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/28 +--- + gnome-autoar/autoar-extractor.c | 23 +++-------------------- + 1 file changed, 3 insertions(+), 20 deletions(-) + +--- a/gnome-autoar/autoar-extractor.c ++++ b/gnome-autoar/autoar-extractor.c +@@ -1760,28 +1760,11 @@ autoar_extractor_step_decide_destination + } + } + +- new_destination = (self->new_prefix != NULL) ? self->new_prefix : self->destination_dir; +- destination_name = g_file_get_path (new_destination); ++ destination_name = g_file_get_path (self->new_prefix != NULL ? ++ self->new_prefix : ++ self->destination_dir); + g_debug ("autoar_extractor_step_decide_destination: destination %s", destination_name); + +- g_file_make_directory_with_parents (new_destination, +- self->cancellable, +- &(self->error)); +- +- if (g_error_matches (self->error, G_IO_ERROR, G_IO_ERROR_EXISTS)) { +- GFileType file_type; +- +- file_type = g_file_query_file_type (new_destination, +- G_FILE_QUERY_INFO_NONE, +- NULL); +- +- if (file_type == G_FILE_TYPE_DIRECTORY) { +- /* FIXME: Implement a way to solve directory conflicts */ +- g_debug ("autoar_extractor_step_decide_destination: destination directory exists"); +- g_clear_error (&self->error); +- } +- } +- + g_list_free_full (files, g_object_unref); + } + diff -Nru gnome-autoar-0.2.3/debian/patches/series gnome-autoar-0.2.3/debian/patches/series --- gnome-autoar-0.2.3/debian/patches/series 2021-05-05 16:52:41.000000000 +0000 +++ gnome-autoar-0.2.3/debian/patches/series 2021-06-04 11:03:33.000000000 +0000 @@ -8,3 +8,5 @@ CVE-2021-28650-08.patch CVE-2021-28650-09.patch CVE-2021-28650-10.patch +fix_one_file_archives.patch +fix_one_file_archives2.patch