KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.

Bug #1893465 reported by vishnunaini on 2020-08-28
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ark (Ubuntu)
Undecided
Rik Mills
Xenial
Undecided
Eduardo Barretto
Bionic
Undecided
Eduardo Barretto
Focal
Undecided
Eduardo Barretto
Groovy
Undecided
Rik Mills

Bug Description

I have included a debdiff imported from upstream for the below security advisory for ark.

I have tested the patch in ppa with the sample archive issued in the advisory and can confirm it works without any noticeable issues.

KDE Project Security Advisory
=============================

Title: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-24654
Versions: ark <= 20.08.0
Author: Elvis Angelaccio <email address hidden>
Date: 27 August 2020

Overview
========

A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.

Proof of concept
================

For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar

Impact
======

Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart.

Workaround
==========

Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain symlink entries pointing outside the extraction folder.

The 'Extract' context menu from the Dolphin file manager shouldn't be used.

Solution
========

Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.

Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous
releases.

Credits
=======

Thanks to Fabian Vogt for reporting this issue and for fixing it.

CVE References

vishnunaini (visred) wrote :
information type: Private Security → Public Security
Eduardo Barretto (ebarretto) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better.
That CVE apparently didn't hit our tracker so far, as soon as it does I'll update the status of Ubuntu Focal and thanks for providing the debdiff.
Can you confirm that previous releases of Ubuntu are not affected by the same issue?

Changed in ark (Ubuntu):
assignee: nobody → Eduardo Barretto (ebarretto)
vishnunaini (visred) wrote :

All previous and current releases are possibly affected.
The above debdiff is compatible with focal and bionic which are affected.
Groovy can be updated to the latest upstream by the maintainer.

The nature of impact of this bug on xenial is unknown as the code in xenial is very different and upstream hasn't detailed it. Ark went thorugh a significant refactor after xenial and the current upstream patches are incompatible. I'll try to evaluate and report back if the patch can be backported or if the bug even exists.

Rik Mills (rikmills) wrote :

For groovy, ark 20.08.1 tar with the fix rolled in will not be released until next week. Once I get access to the tar, I will upload to groovy.

Rik Mills (rikmills) on 2020-08-29
Changed in ark (Ubuntu Groovy):
assignee: Eduardo Barretto (ebarretto) → Rik Mills (rikmills)
Changed in ark (Ubuntu Focal):
assignee: nobody → Eduardo Barretto (ebarretto)
Changed in ark (Ubuntu Bionic):
assignee: nobody → Eduardo Barretto (ebarretto)
Rik Mills (rikmills) on 2020-09-01
Changed in ark (Ubuntu Groovy):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ark - 4:20.08.1-0ubuntu1

---------------
ark (4:20.08.1-0ubuntu1) groovy; urgency=medium

  * New upstream release (20.08.1)
  * SECURITY UPDATE: Maliciously crafted TAR archive with symlinks can
    install files outside the extraction directory. (LP: #1893465)
    - CVE-2020-24654
    - Thanks to Fabian Vogt for reporting this issue and for fixing it.

 -- Rik Mills <email address hidden> Tue, 01 Sep 2020 08:48:18 +0100

Changed in ark (Ubuntu Groovy):
status: Fix Committed → Fix Released
Changed in ark (Ubuntu Xenial):
assignee: nobody → Eduardo Barretto (ebarretto)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ark - 4:15.12.3-0ubuntu1.2

---------------
ark (4:15.12.3-0ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: maliciously crafted TAR archive with symlinks can
    install files outside the extraction directory. (LP: #1893465)
    - 002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch
    - CVE-2020-24654
    - Thanks to Fabian Vogt for reporting this issue and for fixing it.

 -- Eduardo Barretto <email address hidden> Tue, 01 Sep 2020 11:31:33 -0300

Changed in ark (Ubuntu Xenial):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ark - 4:17.12.3-0ubuntu1.2

---------------
ark (4:17.12.3-0ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: maliciously crafted TAR archive with symlinks can
    install files outside the extraction directory. (LP: #1893465)
    - 002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch
    - CVE-2020-24654
    - Thanks to Fabian Vogt for reporting this issue and for fixing it.

 -- vishnunaini <email address hidden> Fri, 28 Aug 2020 22:12:54 +0530

Changed in ark (Ubuntu Bionic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ark - 4:19.12.3-0ubuntu1.2

---------------
ark (4:19.12.3-0ubuntu1.2) focal-security; urgency=medium

  * SECURITY UPDATE: maliciously crafted TAR archive with symlinks can
    install files outside the extraction directory. (LP: #1893465)
    - 002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch
    - CVE-2020-24654
    - Thanks to Fabian Vogt for reporting this issue and for fixing it.

 -- vishnunaini <email address hidden> Fri, 28 Aug 2020 22:12:54 +0530

Changed in ark (Ubuntu Focal):
status: New → Fix Released
Rik Mills (rikmills) wrote :

Thank you everyone :)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers