KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ark (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Steve Beattie | ||
Groovy |
Fix Released
|
High
|
Unassigned |
Bug Description
I am including a debdiff for an upstream security bug in ark. I have tested it in focal with a succesful build in ppa. The link to a sample archive is available in the kde advisory at https:/
Upstream patch at: https:/
Below is the original KDE project security advisory:
Albert Astals Cid <email address hidden>
03:56 (18 hours ago)
to kde-announce
KDE Project Security Advisory
=======
Title: Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-16116
Versions: ark <= 20.04.3
Author: Elvis Angelaccio <email address hidden>
Date: 30 July 2020
Overview
========
A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https:/
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart
Workaround
==========
Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain entries with "../" in the file path.
Solution
========
Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.
Alternatively,
https:/
can be applied to previous releases.
Credits
=======
Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.
CVE References
Changed in ark (Ubuntu Groovy): | |
status: | New → In Progress |
importance: | Undecided → High |
Changed in ark (Ubuntu Focal): | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in ark (Ubuntu Focal): | |
assignee: | nobody → Steve Beattie (sbeattie) |
The attachment "debdiff/patch for focal. Directly backportable to earlier variants" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]