KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.

Bug #1889672 reported by vishnunaini on 2020-07-30
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ark (Ubuntu)
High
Unassigned
Bionic
Undecided
Unassigned
Focal
High
Steve Beattie
Groovy
High
Unassigned

Bug Description

I am including a debdiff for an upstream security bug in ark. I have tested it in focal with a succesful build in ppa. The link to a sample archive is available in the kde advisory at https://kde.org/info/security/advisory-20200730-1.txt
Upstream patch at: https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f

Below is the original KDE project security advisory:

Albert Astals Cid <email address hidden>
03:56 (18 hours ago)
to kde-announce

KDE Project Security Advisory
=============================

Title: Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-16116
Versions: ark <= 20.04.3
Author: Elvis Angelaccio <email address hidden>
Date: 30 July 2020

Overview
========

A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.

Proof of concept
================

For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip

Impact
======

Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart

Workaround
==========

Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain entries with "../" in the file path.

Solution
========

Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.

Alternatively,
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
can be applied to previous releases.

Credits
=======

Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.

CVE References

vishnunaini (visred) wrote :
information type: Private Security → Public Security
Rik Mills (rikmills) on 2020-07-30
Changed in ark (Ubuntu Groovy):
status: New → In Progress
importance: Undecided → High
Changed in ark (Ubuntu Focal):
status: New → Confirmed
importance: Undecided → High

The attachment "debdiff/patch for focal. Directly backportable to earlier variants" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Rik Mills (rikmills) wrote :

This bug was fixed in the package ark - 4:20.04.3-1

---------------
ark (4:20.04.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * Backport upstream commit 0df592524fed305d6fbe74ddf8a196bc9ffdb92f to fix
    vulnerability to path traversal attacks (CVE-2020-16116); patch
    upstream_Fix-vulnerability-to-path-traversal-attacks.patch.
  * CI: disable build path variations, as not well handled with ark by the
    current toolchain.
  * Add Rules-Requires-Root: no.
  * Change an internal hostname of an old Ubuntu changelog entry to
    <email address hidden> to avoid lintian issues.

 -- Pino Toscano <email address hidden> Thu, 30 Jul 2020 17:11:50 +0200

Changed in ark (Ubuntu):
status: In Progress → Fix Released
Roland Bauer (zimmet) wrote :
vishnunaini (visred) wrote :

Rik only pushed an update for 20.10 Beta i.e groovy as he only has access to the development version.

For the LTS release 20.04, the patch has not been released as it can only be pushed by the Ubuntu security team or the release sponsors team.

I have just now added the ubuntu-security sponsors to this bugs subscription list as this bug seems to have missed their queue.

Roland Bauer (zimmet) wrote :

thx for quick response and explanation!

(to exclude an error on my side I made some research and learned a lot about the "apt-get" update process)

Steve Beattie (sbeattie) on 2020-08-06
Changed in ark (Ubuntu Focal):
assignee: nobody → Steve Beattie (sbeattie)
Steve Beattie (sbeattie) wrote :

Thanks for preparing the debdiff and adding the ubuntu-security-sponsors account; I'll be taking a look at this.

I've pushed the focal version to the ubuntu security proposed ppa (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa) after adjusting the version to match the versioning scheme described at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging and tweaking the changelog message.

I don't suppose upstream added any tests to verify correct behavior?

vishnunaini (visred) wrote :

Upstream has included the below test archive in the original advisory. Upon trying to open the test archive in ark, a warning will show below the menu bar.

Proof of concept
================

For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip

vishnunaini (visred) wrote :

I have tested steve's focal build from security-proposed and was able to succesfully validate the fix i.e. warning for the PoC.

I have attached a screenshot of the warning when trying to open the PoC

Steve Beattie (sbeattie) wrote :

vishnunaini, thanks for testing and the pointer to the reproducer.

I also went ahead and carried back the patch to bionic's ark as well, and have uploaded it to the same ppa.

For xenial, the patch fails to apply because the passed archive entry type is different, and it was not clear to me whether the older version of the type contained an equivalent way to get access to the result of the fullPath() method call.

vishnunaini (visred) wrote :

Code went through a major refactor after xenial to integrate with updated Qt. See https://phabricator.kde.org/T2704

The refactor for this function was

-void Job::onEntry(const ArchiveEntry & archiveEntry)
+void Job::onEntry(Archive::Entry *entry)
 {
- emit newEntry(archiveEntry);
+ emit newEntry(entry);
 }

I tried to backport it to xenial but to no avail.
There are too many function changes

The ArchievEntry->fullPath() doesn't work because archiveinterface.h doesn't exist.
backporting archiveinterfac.h will require a lot of refactor in the entire code

I am not familiar with the code to rewrite the actual patch itself instead of refactoring

Even debian doesn't seem to have backported it. It seems difficult for anyone who is not familiar with the upstream structure.

Steve Beattie (sbeattie) wrote :

This was addressed in bionic in https://launchpad.net/ubuntu/+source/ark/4:17.12.3-0ubuntu1.1 and focal in https://launchpad.net/ubuntu/+source/ark/4:19.12.3-0ubuntu1.1, and covered in USN 4461-1.

Thanks for preparing the updates and helping to protect users, vishnunaini!

Changed in ark (Ubuntu Bionic):
status: New → Fix Released
Changed in ark (Ubuntu Focal):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers