svn commit: r543705 - in branches/2020Q3/archivers/ark: . files
Tobias C. Berner
tcberner at FreeBSD.org
Thu Jul 30 04:34:54 UTC 2020
Author: tcberner
Date: Thu Jul 30 04:34:54 2020
New Revision: 543705
URL: https://svnweb.freebsd.org/changeset/ports/543705
Log:
MFH: r543704
archivers/ark: security fix
KDE Project Security Advisory
=============================
Title: Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-16116
Versions: ark <= 20.04.3
Author: Elvis Angelaccio <elvis.angelaccio at kde.org>
Date: 30 July 2020
Overview
========
A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart
Workaround
==========
Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain entries with "../" in the file path.
Solution
========
Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.
Alternatively,
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
can be applied to previous releases.
Credits
=======
Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.
Approved by: ports-secteam (blanket)
Added:
branches/2020Q3/archivers/ark/files/
- copied from r543704, head/archivers/ark/files/
Modified:
branches/2020Q3/archivers/ark/Makefile
Directory Properties:
branches/2020Q3/ (props changed)
Modified: branches/2020Q3/archivers/ark/Makefile
==============================================================================
--- branches/2020Q3/archivers/ark/Makefile Thu Jul 30 04:32:24 2020 (r543704)
+++ branches/2020Q3/archivers/ark/Makefile Thu Jul 30 04:34:54 2020 (r543705)
@@ -2,6 +2,7 @@
PORTNAME= ark
DISTVERSION= ${KDE_APPLICATIONS_VERSION}
+PORTREVISION= 1
CATEGORIES= archivers kde kde-applications
MAINTAINER= kde at FreeBSD.org
More information about the svn-ports-all
mailing list