Date: Fri, 28 Aug 2020 05:47:31 +0000 (UTC) From: "Tobias C. Berner" <tcberner@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r546706 - in head/archivers/ark: . files Message-ID: <202008280547.07S5lVUM057347@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tcberner Date: Fri Aug 28 05:47:31 2020 New Revision: 546706 URL: https://svnweb.freebsd.org/changeset/ports/546706 Log: archivers/ark: fix vulnerability in tar extraction KDE Project Security Advisory ============================= Title: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory. Risk Rating: Important CVE: CVE-2020-24654 Versions: ark <= 20.08.0 Author: Elvis Angelaccio <elvis.angelaccio@kde.org> Date: 27 August 2020 Overview ======== A maliciously crafted TAR archive containing symlink entries would install files anywhere in the user's home directory upon extraction. Proof of concept ================ For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar Impact ====== Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart. Workaround ========== Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain symlink entries pointing outside the extraction folder. The 'Extract' context menu from the Dolphin file manager shouldn't be used. Solution ======== Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives. Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases. Credits ======= Thanks to Fabian Vogt for reporting this issue and for fixing it. MFH: 2020Q3 Security: CVE-2020-24654 Added: head/archivers/ark/files/ head/archivers/ark/files/patch-cve_2020-24654 (contents, props changed) Modified: head/archivers/ark/Makefile Modified: head/archivers/ark/Makefile ============================================================================== --- head/archivers/ark/Makefile Fri Aug 28 05:15:49 2020 (r546705) +++ head/archivers/ark/Makefile Fri Aug 28 05:47:31 2020 (r546706) @@ -2,6 +2,7 @@ PORTNAME= ark DISTVERSION= ${KDE_APPLICATIONS_VERSION} +PORTREVISION= 1 CATEGORIES= archivers kde kde-applications MAINTAINER= kde@FreeBSD.org Added: head/archivers/ark/files/patch-cve_2020-24654 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/archivers/ark/files/patch-cve_2020-24654 Fri Aug 28 05:47:31 2020 (r546706) @@ -0,0 +1,54 @@ +From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001 +From: Fabian Vogt <fabian@ritter-vogt.de> +Date: Tue, 25 Aug 2020 22:14:37 +0200 +Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive + +There are archive types which allow to first create a symlink and then +later on dereference it. If the symlink points outside of the archive, +this results in writing outside of the destination directory. + +With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids +this situation by verifying that none of the target path components are +symlinks before writing. + +Remove the commented out code in the method, which would actually +misbehave if enabled again. + +Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de> +--- + plugins/libarchive/libarchiveplugin.cpp | 18 +++--------------- + 1 file changed, 3 insertions(+), 15 deletions(-) + +diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp +index 50e81da1..8a0fed21 100644 +--- plugins/libarchive/libarchiveplugin.cpp ++++ plugins/libarchive/libarchiveplugin.cpp +@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry) + + int LibarchivePlugin::extractionFlags() const + { +- int result = ARCHIVE_EXTRACT_TIME; +- result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; +- +- // TODO: Don't use arksettings here +- /*if ( ArkSettings::preservePerms() ) +- { +- result &= ARCHIVE_EXTRACT_PERM; +- } +- +- if ( !ArkSettings::extractOverwrite() ) +- { +- result &= ARCHIVE_EXTRACT_NO_OVERWRITE; +- }*/ +- +- return result; ++ return ARCHIVE_EXTRACT_TIME ++ | ARCHIVE_EXTRACT_SECURE_NODOTDOT ++ | ARCHIVE_EXTRACT_SECURE_SYMLINKS; + } + + void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress) +-- +GitLab + +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008280547.07S5lVUM057347>