CVE-2017-5330 - Ark: unintended execution of scripts and executable files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ark (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Yakkety |
Fix Released
|
High
|
Unassigned | ||
Zesty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
KDE Project Security Advisory
=======
Title: Ark: unintended execution of scripts and executable files
Risk Rating: Important
CVE: CVE-2017-5330
Versions: ark >= 15.12
Author: Elvis Angelaccio <email address hidden>
Date: 12 January 2017
Overview
========
Through a (possibly malicious) tar archive that contains an
executable shell script or binary, it was possible to execute
arbitrary code on target machines.
KRun::runUrl() has a runExecutable argument which defaults to true.
Ark was using this default value and was also not checking
whether an extracted file was executable before passing it to the
runUrl() function.
Impact
======
An attacker can send legitimate tar archives with executable scripts or
binaries disguised as normal files (say, with README or LICENSE as filenames).
The attacker then can trick a user to select those files and click
the Open button in the Ark toolbar, which triggers the affected code.
Workaround
==========
Don't use the File -> Open functionality of Ark.
You can still open archives (Archive->Open) and extract them.
Solution
========
Update to Ark >= 16.12.1
For older releases of Ark, apply the following patches:
Applications/16.08 branch: https:/
Applications/16.04 branch: https:/
Applications/15.12 branch: https:/
Credits
=======
Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for
fixing this issue.
Changed in ark (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in ark (Ubuntu Yakkety): | |
importance: | Undecided → High |
Changed in ark (Ubuntu Zesty): | |
importance: | Undecided → Medium |
tags: | added: patch |
Changed in ark (Ubuntu Zesty): | |
status: | Fix Committed → Fix Released |
Changed in ark (Ubuntu Yakkety): | |
status: | Confirmed → In Progress |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res