KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | ark (Ubuntu) |
Undecided
|
Rik Mills | ||
| | Xenial |
Undecided
|
Eduardo Barretto | ||
| | Bionic |
Undecided
|
Eduardo Barretto | ||
| | Focal |
Undecided
|
Eduardo Barretto | ||
| | Groovy |
Undecided
|
Rik Mills | ||
Bug Description
I have included a debdiff imported from upstream for the below security advisory for ark.
I have tested the patch in ppa with the sample archive issued in the advisory and can confirm it works without any noticeable issues.
KDE Project Security Advisory
=======
Title: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-24654
Versions: ark <= 20.08.0
Author: Elvis Angelaccio <email address hidden>
Date: 27 August 2020
Overview
========
A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https:/
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/
Workaround
==========
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain symlink entries pointing outside the extraction folder.
The 'Extract' context menu from the Dolphin file manager shouldn't be used.
Solution
========
Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.
Alternatively, https:/
releases.
Credits
=======
Thanks to Fabian Vogt for reporting this issue and for fixing it.
CVE References
| Eduardo Barretto (ebarretto) wrote : | #2 |
| Changed in ark (Ubuntu): | |
| assignee: | nobody → Eduardo Barretto (ebarretto) |
| vishnunaini (visred) wrote : | #3 |
All previous and current releases are possibly affected.
The above debdiff is compatible with focal and bionic which are affected.
Groovy can be updated to the latest upstream by the maintainer.
The nature of impact of this bug on xenial is unknown as the code in xenial is very different and upstream hasn't detailed it. Ark went thorugh a significant refactor after xenial and the current upstream patches are incompatible. I'll try to evaluate and report back if the patch can be backported or if the bug even exists.
| Rik Mills (rikmills) wrote : | #4 |
For groovy, ark 20.08.1 tar with the fix rolled in will not be released until next week. Once I get access to the tar, I will upload to groovy.
| Changed in ark (Ubuntu Groovy): | |
| assignee: | Eduardo Barretto (ebarretto) → Rik Mills (rikmills) |
| Changed in ark (Ubuntu Focal): | |
| assignee: | nobody → Eduardo Barretto (ebarretto) |
| Changed in ark (Ubuntu Bionic): | |
| assignee: | nobody → Eduardo Barretto (ebarretto) |
| Changed in ark (Ubuntu Groovy): | |
| status: | New → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package ark - 4:20.08.1-0ubuntu1
---------------
ark (4:20.08.
* New upstream release (20.08.1)
* SECURITY UPDATE: Maliciously crafted TAR archive with symlinks can
install files outside the extraction directory. (LP: #1893465)
- CVE-2020-24654
- Thanks to Fabian Vogt for reporting this issue and for fixing it.
-- Rik Mills <email address hidden> Tue, 01 Sep 2020 08:48:18 +0100
| Changed in ark (Ubuntu Groovy): | |
| status: | Fix Committed → Fix Released |
| Changed in ark (Ubuntu Xenial): | |
| assignee: | nobody → Eduardo Barretto (ebarretto) |
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package ark - 4:15.12.
---------------
ark (4:15.12.
* SECURITY UPDATE: maliciously crafted TAR archive with symlinks can
install files outside the extraction directory. (LP: #1893465)
- 002-CVE-
- CVE-2020-24654
- Thanks to Fabian Vogt for reporting this issue and for fixing it.
-- Eduardo Barretto <email address hidden> Tue, 01 Sep 2020 11:31:33 -0300
| Changed in ark (Ubuntu Xenial): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package ark - 4:17.12.
---------------
ark (4:17.12.
* SECURITY UPDATE: maliciously crafted TAR archive with symlinks can
install files outside the extraction directory. (LP: #1893465)
- 002-CVE-
- CVE-2020-24654
- Thanks to Fabian Vogt for reporting this issue and for fixing it.
-- vishnunaini <email address hidden> Fri, 28 Aug 2020 22:12:54 +0530
| Changed in ark (Ubuntu Bionic): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package ark - 4:19.12.
---------------
ark (4:19.12.
* SECURITY UPDATE: maliciously crafted TAR archive with symlinks can
install files outside the extraction directory. (LP: #1893465)
- 002-CVE-
- CVE-2020-24654
- Thanks to Fabian Vogt for reporting this issue and for fixing it.
-- vishnunaini <email address hidden> Fri, 28 Aug 2020 22:12:54 +0530
| Changed in ark (Ubuntu Focal): | |
| status: | New → Fix Released |
| Rik Mills (rikmills) wrote : | #9 |
Thank you everyone :)
Thanks for taking the time to report this bug and helping to make Ubuntu better.
That CVE apparently didn't hit our tracker so far, as soon as it does I'll update the status of Ubuntu Focal and thanks for providing the debdiff.
Can you confirm that previous releases of Ubuntu are not affected by the same issue?