CVE-2021-28650: 
NixOS vulnerability analysis and mitigation

CVE-2021-28650 affects GNOME gnome-autoar versions before 0.3.1, which is used by GNOME Shell, Nautilus, and other software. The vulnerability was discovered on March 17, 2021, and involves a Directory Traversal issue during extraction due to missing checks on whether a file's parent is a symlink in certain complex situations. This vulnerability exists as a result of an incomplete fix for CVE-2020-36241 (NVD, CVE).

The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue is specifically located in the autoar-extractor.c component and is classified as CWE-59 (Improper Link Resolution Before File Access). The vulnerability requires local access with low attack complexity and low privileges, with no user interaction needed (NVD).

The vulnerability allows for Directory Traversal during extraction operations, which could potentially lead to unauthorized access to files outside the intended extraction directory. This could result in information disclosure with high confidentiality impact, though integrity and availability are not affected (NVD, Ubuntu).

The vulnerability was fixed in GNOME gnome-autoar version 0.3.1. Users and administrators are advised to upgrade to this version or later. The fix was implemented through a patch that adds proper checks for symlink parent directories during extraction operations. Multiple distributions have released security updates to address this vulnerability, including Ubuntu, Fedora, and Gentoo (Gentoo, Debian).