Date: Thu, 30 Jul 2020 04:34:54 +0000 (UTC) From: "Tobias C. Berner" <tcberner@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r543705 - in branches/2020Q3/archivers/ark: . files Message-ID: <202007300434.06U4YsNI079964@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tcberner Date: Thu Jul 30 04:34:54 2020 New Revision: 543705 URL: https://svnweb.freebsd.org/changeset/ports/543705 Log: MFH: r543704 archivers/ark: security fix KDE Project Security Advisory ============================= Title: Ark: maliciously crafted archive can install files outside the extraction directory. Risk Rating: Important CVE: CVE-2020-16116 Versions: ark <= 20.04.3 Author: Elvis Angelaccio <elvis.angelaccio@kde.org> Date: 30 July 2020 Overview ======== A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction. Proof of concept ================ For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip Impact ====== Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart Workaround ========== Users should not use the 'Extract' context menu from the Dolphin file manager. Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain entries with "../" in the file path. Solution ======== Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users. Alternatively, https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f can be applied to previous releases. Credits ======= Thanks to Dominik Penner for finding and reporting this issue and thanks to Elvis Angelaccio and Albert Astals Cid for fixing it. Approved by: ports-secteam (blanket) Added: branches/2020Q3/archivers/ark/files/ - copied from r543704, head/archivers/ark/files/ Modified: branches/2020Q3/archivers/ark/Makefile Directory Properties: branches/2020Q3/ (props changed) Modified: branches/2020Q3/archivers/ark/Makefile ============================================================================== --- branches/2020Q3/archivers/ark/Makefile Thu Jul 30 04:32:24 2020 (r543704) +++ branches/2020Q3/archivers/ark/Makefile Thu Jul 30 04:34:54 2020 (r543705) @@ -2,6 +2,7 @@ PORTNAME= ark DISTVERSION= ${KDE_APPLICATIONS_VERSION} +PORTREVISION= 1 CATEGORIES= archivers kde kde-applications MAINTAINER= kde@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007300434.06U4YsNI079964>