svn commit: r543704 - head/archivers/ark/files
    Tobias C. Berner 
    tcberner at FreeBSD.org
       
    Thu Jul 30 04:32:25 UTC 2020
    
    
  
Author: tcberner
Date: Thu Jul 30 04:32:24 2020
New Revision: 543704
URL: https://svnweb.freebsd.org/changeset/ports/543704
Log:
  archivers/ark: security fix
  
  KDE Project Security Advisory
  =============================
  
  Title:           Ark: maliciously crafted archive can install files outside the extraction directory.
  Risk Rating:     Important
  CVE:             CVE-2020-16116
  Versions:        ark <= 20.04.3
  Author:          Elvis Angelaccio <elvis.angelaccio at kde.org>
  Date:            30 July 2020
  
  Overview
  ========
  
  A maliciously crafted archive with "../" in the file paths
  would install files anywhere in the user's home directory upon extraction.
  
  Proof of concept
  ================
  
  For testing, an example of malicious archive can be found at
  https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip
  
  Impact
  ======
  
  Users can unwillingly install files like a modified .bashrc, or a malicious
  script placed in ~/.config/autostart
  
  Workaround
  ==========
  
  Users should not use the 'Extract' context menu from the Dolphin file manager.
  Before extracting a downloaded archive using the Ark GUI, users should inspect it
  to make sure it doesn't contain entries with "../" in the file path.
  
  Solution
  ========
  
  Ark 20.08.0 prevents loading of malicious archives and shows a warning message
  to the users.
  
  Alternatively,
  https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
  can be applied to previous releases.
  
  Credits
  =======
  
  Thanks to Dominik Penner for finding and reporting this issue and thanks to
  Elvis Angelaccio and Albert Astals Cid for fixing it.
Added:
  head/archivers/ark/files/
  head/archivers/ark/files/patch-git_0d5952   (contents, props changed)
Added: head/archivers/ark/files/patch-git_0d5952
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/archivers/ark/files/patch-git_0d5952	Thu Jul 30 04:32:24 2020	(r543704)
@@ -0,0 +1,46 @@
+From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001
+From: Elvis Angelaccio <elvis.angelaccio at kde.org>
+Date: Wed, 29 Jul 2020 23:45:30 +0200
+Subject: [PATCH] Fix vulnerability to path traversal attacks
+
+Ark was vulnerable to directory traversal attacks because of
+missing validation of file paths in the archive.
+
+More details about this attack are available at:
+https://github.com/snyk/zip-slip-vulnerability
+
+Job::onEntry() is the only place where we can safely check the path of
+every entry in the archive. There shouldn't be a valid reason
+to have a "../" in an archive path, so we can just play safe and abort
+the LoadJob if we detect such an entry. This makes impossibile to
+extract this kind of malicious archives and perform the attack.
+
+Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath()
+so that we can still allow loading of legitimate archives that
+contain "../" in their paths but still resolve inside the extraction folder.
+---
+ kerfuffle/jobs.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp
+index fdaa48695..f73b56f86 100644
+--- kerfuffle/jobs.cpp
++++ kerfuffle/jobs.cpp
+@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details)
+ 
+ void Job::onEntry(Archive::Entry *entry)
+ {
++    const QString entryFullPath = entry->fullPath();
++    if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
++        qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
++        onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
++        onFinished(false);
++        return;
++    }
++
+     emit newEntry(entry);
+ }
+ 
+-- 
+GitLab
+
    
    
More information about the svn-ports-head
mailing list