CVE-2017-5330 - Ark: unintended execution of scripts and executable files

Bug #1655507 reported by Rik Mills on 2017-01-11
276
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ark (Ubuntu)
Medium
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
Zesty
Medium
Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: Ark: unintended execution of scripts and executable files
Risk Rating: Important
CVE: CVE-2017-5330
Versions: ark >= 15.12
Author: Elvis Angelaccio <email address hidden>
Date: 12 January 2017

Overview
========

Through a (possibly malicious) tar archive that contains an
executable shell script or binary, it was possible to execute
arbitrary code on target machines.
KRun::runUrl() has a runExecutable argument which defaults to true.
Ark was using this default value and was also not checking
whether an extracted file was executable before passing it to the
runUrl() function.

Impact
======

An attacker can send legitimate tar archives with executable scripts or
binaries disguised as normal files (say, with README or LICENSE as filenames).
The attacker then can trick a user to select those files and click
the Open button in the Ark toolbar, which triggers the affected code.

Workaround
==========

Don't use the File -> Open functionality of Ark.
You can still open archives (Archive->Open) and extract them.

Solution
========

Update to Ark >= 16.12.1

For older releases of Ark, apply the following patches:

Applications/16.08 branch: https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3
Applications/16.04 branch: https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776
Applications/15.12 branch: https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b

Credits
=======

Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for
fixing this issue.

CVE References

Changed in ark (Ubuntu Xenial):
importance: Undecided → High
Changed in ark (Ubuntu Yakkety):
importance: Undecided → High
Changed in ark (Ubuntu Zesty):
importance: Undecided → Medium
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in ark (Ubuntu):
status: New → Incomplete
Changed in ark (Ubuntu Xenial):
status: New → Incomplete
Changed in ark (Ubuntu Yakkety):
status: New → Incomplete
information type: Private Security → Public Security

I have a debdiff for Xenial, but due to my lack of resources (pathetic slow internet and old system) I can't test it.

https://launchpad.net/~kubuntu-ninjas/+archive/ubuntu/ppa/+packages?field.name_filter=ark&field.status_filter=published&field.series_filter=

tags: added: patch
visred (visred) wrote :

I am including a debdiff for yakkety

Clive if you want I can build it in my ppa. I already started building for yakkety. Please test it and sponsor these diffs https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+packages

visred (visred) wrote :

I tested it and no problems on yakkety. I was trying to send a merge proposal but I am unable to find the bzr branch.

Although ark is present at lp:ark , bzr can't pull from there for some reason. Tried using git too. Still can't find the branch.

Changed in ark (Ubuntu Xenial):
status: Incomplete → Confirmed
Changed in ark (Ubuntu Yakkety):
status: Incomplete → Confirmed
Changed in ark (Ubuntu Zesty):
status: Incomplete → Confirmed

On 17/01/17 08:52, visred wrote:
> I tested it and no problems on yakkety. I was trying to send a merge
> proposal but I am unable to find the bzr branch.
>
> Although ark is present at lp:ark , bzr can't pull from there for some
> reason. Tried using git too. Still can't find the branch.

Here:
https://code.launchpad.net/~kubuntu-packagers/kubuntu-packaging/+git/ark

Marc Deslauriers (mdeslaur) wrote :

Subscribing ubuntu-security-sponsors so this gets looked at.

visred (visred) wrote :

New debdiff.patch that conforms ubuntu security sponsorship procedures

Simon Quigley (tsimonq2) wrote :

KDE Applications 16.12.1 seems to be uploaded to Zesty (excluding PIM) and it includes Ark 16.12.1, which has this fix baked in. https://launchpad.net/ubuntu/+source/ark/4:16.12.1-0ubuntu1

I'm marking this as Fix Committed in Zesty, and if someone could mark this as Fix Released once it gets through to zesty-release, that would be great. Looks like someone forgot to put this bug number in the changelog.

Changed in ark (Ubuntu Zesty):
status: Confirmed → Fix Committed
description: updated
Rik Mills (rikmills) wrote :

On 20/01/17 03:42, Simon Quigley wrote:
> I'm marking this as Fix Committed in Zesty, and if someone could mark
> this as Fix Released once it gets through to zesty-release, that would
> be great. Looks like someone forgot to put this bug number in the
> changelog.

I did, thanks.

Rik Mills (rikmills) on 2017-01-20
Changed in ark (Ubuntu Zesty):
status: Fix Committed → Fix Released
Emily Ratliff (emilyr) on 2017-01-20
Changed in ark (Ubuntu Yakkety):
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ark - 4:16.04.3a-0ubuntu2.2

---------------
ark (4:16.04.3a-0ubuntu2.2) yakkety-security; urgency=medium

  * SECURITY UPDATE:unintended execution of scripts and executable files
      - debian/patches/no-exec-during-url-open.patch
      - Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for fixing this issue.
      - CVE-2017-5330
      - fixes (LP: #1655507)

 -- Vishnu Vardhan Reddy Naini <email address hidden> Thu, 19 Jan 2017 03:10:04 +0530

Changed in ark (Ubuntu Yakkety):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ark - 4:15.12.3-0ubuntu1.1

---------------
ark (4:15.12.3-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Stop running executables when opening urls (LP: #1655507)
    - debian/patches/00_disable_open_functionality.patch
    - CVE-2017-5530

 -- Clive Johnston <email address hidden> Wed, 11 Jan 2017 16:42:19 +0000

Changed in ark (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers