svn commit: r543799 - head/security/vuxml
Tobias C. Berner
tcberner at FreeBSD.org
Thu Jul 30 15:54:22 UTC 2020
Author: tcberner
Date: Thu Jul 30 15:54:21 2020
New Revision: 543799
URL: https://svnweb.freebsd.org/changeset/ports/543799
Log:
Document vulnerability in archivers/ark
- fixed in r543704 (head), r543705 (2020Q3)
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Jul 30 15:54:05 2020 (r543798)
+++ head/security/vuxml/vuln.xml Thu Jul 30 15:54:21 2020 (r543799)
@@ -41,7 +41,7 @@ QUICK GUIDE TO ADDING A NEW ENTRY
5. use 'make VID=xxx-yyy-zzz html' to emit the entry's html file for formatting review
6. profit!
-Additional tests can be done this way:
+edditional tests can be done this way:
$ pkg audit -f ./vuln.xml py26-django-1.6
$ pkg audit -f ./vuln.xml py27-django-1.6.1
@@ -58,6 +58,87 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="d1ef1138-d273-11ea-a757-e0d55e2a8bf9">
+ <topic>ark -- directory traversal</topic>
+ <affects>
+ <package>
+ <name>ark</name>
+ <range><lt>20.04.2_1</lt></range>
+ <range><eq>20.04.3</eq></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>KDE Project Security Advisory reports:</p>
+ <blockquote cite="https://kde.org/info/security/advisory-20200730-1.txt">
+ <h3>KDE Project Security Advisory</h3>
+ <table>
+ <tr>
+ <td>Title:</td>
+ <td>Ark: maliciously crafted archive can install files outside the extraction directory.</td>
+ </tr>
+ <tr>
+ <td>Risk Rating:</td>
+ <td>Important</td>
+ </tr>
+ <tr>
+ <td>CVE:</td>
+ <td>CVE-2020-16116</td>
+ </tr>
+ <tr>
+ <td>Versions:</td>
+ <td>ark <= 20.04.3</td>
+ </tr>
+ <tr>
+ <td>Author:</td>
+ <td>Elvis Angelaccio <elvis.angelaccio at kde.org></td>
+ </tr>
+ <tr>
+ <td>Date:</td>
+ <td>30 July 2020</td>
+ </tr>
+ </table>
+ <h3>Overview</h3>
+ <p>A maliciously crafted archive with "../" in the file paths
+ would install files anywhere in the user's home directory upon extraction.</p>
+
+ <h3>Proof of concept</h3>
+ <p>For testing, an example of malicious archive can be found at
+ https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip</p>
+
+ <h3>Impact</h3>
+ <p>Users can unwillingly install files like a modified .bashrc, or a malicious
+ script placed in ~/.config/autostart</p>
+
+ <h3>Workaround</h3>
+ <p>Users should not use the 'Extract' context menu from the Dolphin file manager.
+ Before extracting a downloaded archive using the Ark GUI, users should inspect it
+ to make sure it doesn't contain entries with "../" in the file path.</p>
+
+ <h3>Solution</h3>
+ <p>Ark 20.08.0 prevents loading of malicious archives and shows a warning message
+ to the users.</p>
+
+ <p>Alternatively,
+ https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
+ can be applied to previous releases.</p>
+
+ <h3>Credits</h3>
+ <p>Thanks to Dominik Penner for finding and reporting this issue and thanks to
+ Elvis Angelaccio and Albert Astals Cid for fixing it.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2020-16116</cvename>
+ <url>https://kde.org/info/security/advisory-20200730-1.txt</url>
+ </references>
+ <dates>
+ <discovery>2020-07-30</discovery>
+ <entry>2020-07-30</entry>
+ </dates>
+ </vuln>
+
<vuln vid="9a447f78-d0f8-11ea-9837-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list