KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ark (Ubuntu) |
Fix Released
|
Undecided
|
Rik Mills | ||
Xenial |
Fix Released
|
Undecided
|
Eduardo Barretto | ||
Bionic |
Fix Released
|
Undecided
|
Eduardo Barretto | ||
Focal |
Fix Released
|
Undecided
|
Eduardo Barretto | ||
Groovy |
Fix Released
|
Undecided
|
Rik Mills |
Bug Description
I have included a debdiff imported from upstream for the below security advisory for ark.
I have tested the patch in ppa with the sample archive issued in the advisory and can confirm it works without any noticeable issues.
KDE Project Security Advisory
=======
Title: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-24654
Versions: ark <= 20.08.0
Author: Elvis Angelaccio <email address hidden>
Date: 27 August 2020
Overview
========
A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https:/
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/
Workaround
==========
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain symlink entries pointing outside the extraction folder.
The 'Extract' context menu from the Dolphin file manager shouldn't be used.
Solution
========
Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.
Alternatively, https:/
releases.
Credits
=======
Thanks to Fabian Vogt for reporting this issue and for fixing it.
CVE References
Changed in ark (Ubuntu Groovy): | |
assignee: | Eduardo Barretto (ebarretto) → Rik Mills (rikmills) |
Changed in ark (Ubuntu Focal): | |
assignee: | nobody → Eduardo Barretto (ebarretto) |
Changed in ark (Ubuntu Bionic): | |
assignee: | nobody → Eduardo Barretto (ebarretto) |
Changed in ark (Ubuntu Groovy): | |
status: | New → Fix Committed |
Changed in ark (Ubuntu Xenial): | |
assignee: | nobody → Eduardo Barretto (ebarretto) |
Thanks for taking the time to report this bug and helping to make Ubuntu better.
That CVE apparently didn't hit our tracker so far, as soon as it does I'll update the status of Ubuntu Focal and thanks for providing the debdiff.
Can you confirm that previous releases of Ubuntu are not affected by the same issue?