2017-01-11 00:18:09 |
Rik Mills |
bug |
|
|
added bug |
2017-01-11 00:18:36 |
Rik Mills |
bug |
|
|
added subscriber Clive Johnston |
2017-01-11 00:18:50 |
Rik Mills |
bug |
|
|
added subscriber Philip Muškovac |
2017-01-11 00:34:45 |
Clive Johnston |
nominated for series |
|
Ubuntu Zesty |
|
2017-01-11 00:34:45 |
Clive Johnston |
bug task added |
|
ark (Ubuntu Zesty) |
|
2017-01-11 00:34:45 |
Clive Johnston |
nominated for series |
|
Ubuntu Xenial |
|
2017-01-11 00:34:45 |
Clive Johnston |
bug task added |
|
ark (Ubuntu Xenial) |
|
2017-01-11 00:34:45 |
Clive Johnston |
nominated for series |
|
Ubuntu Yakkety |
|
2017-01-11 00:34:45 |
Clive Johnston |
bug task added |
|
ark (Ubuntu Yakkety) |
|
2017-01-11 00:34:59 |
Clive Johnston |
ark (Ubuntu Xenial): importance |
Undecided |
High |
|
2017-01-11 00:35:03 |
Clive Johnston |
ark (Ubuntu Yakkety): importance |
Undecided |
High |
|
2017-01-11 00:35:10 |
Clive Johnston |
ark (Ubuntu Zesty): importance |
Undecided |
Medium |
|
2017-01-11 00:55:18 |
Seth Arnold |
ark (Ubuntu): status |
New |
Incomplete |
|
2017-01-11 00:55:19 |
Seth Arnold |
ark (Ubuntu Xenial): status |
New |
Incomplete |
|
2017-01-11 00:55:20 |
Seth Arnold |
ark (Ubuntu Yakkety): status |
New |
Incomplete |
|
2017-01-11 00:56:10 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
2017-01-11 17:02:50 |
Clive Johnston |
attachment added |
|
ark_15.12.3-0ubuntu1.1.debdiff https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4802947/+files/ark_15.12.3-0ubuntu1.1.debdiff |
|
2017-01-11 20:31:01 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2017-01-17 08:41:20 |
vishnunaini |
attachment added |
|
debdiff-yakkety https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4805298/+files/debdiff |
|
2017-01-17 08:53:30 |
vishnunaini |
cve linked |
|
2017-5330 |
|
2017-01-17 08:54:17 |
vishnunaini |
ark (Ubuntu Xenial): status |
Incomplete |
Confirmed |
|
2017-01-17 08:54:26 |
vishnunaini |
ark (Ubuntu Yakkety): status |
Incomplete |
Confirmed |
|
2017-01-17 08:54:29 |
vishnunaini |
ark (Ubuntu Zesty): status |
Incomplete |
Confirmed |
|
2017-01-17 09:04:26 |
vishnunaini |
bug |
|
|
added subscriber Marc Deslauriers |
2017-01-17 12:36:13 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2017-01-18 22:25:44 |
vishnunaini |
attachment added |
|
debdiff.patch https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4806031/+files/debdiff.patch |
|
2017-01-20 03:42:42 |
Simon Quigley |
ark (Ubuntu Zesty): status |
Confirmed |
Fix Committed |
|
2017-01-20 03:44:21 |
Simon Quigley |
description |
KDE Project Security Advisory
=============================
Title: Ark: unintended execution of scripts and executable files
Risk Rating: Important
CVE: TODO
Platforms: TODO
Versions: ark >= 15.12
Author: Elvis Angelaccio <elvis.angelaccio@kde.org>
Date: TODO
Overview
========
Through a (possibly malicious) tar archive that contains an
executable shell script or binary, it was possible to execute
arbitrary code on target machines.
KRun::runUrl() has a runExecutable argument which defaults to true.
Ark was using this default value and was also not checking
whether an extracted file was executable before passing it to the
runUrl() function.
Impact
======
An attacker can send legitimate tar archives with executable scripts or
binaries disguised as normal files (say, with README or LICENSE as filenames).
The attacker then can trick a user to select those files and click
the Open button in the Ark toolbar, which triggers the affected code.
Workaround
==========
Don't use the Open functionality of Ark.
Solution
========
Update to Ark >= 16.12.1
For older releases of Ark, apply the following patches:
Applications/16.08 branch: https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3
Applications/16.04 branch: https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776
Applications/15.12 branch: https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b
Credits
=======
Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for
fixing this issue. |
KDE Project Security Advisory
=============================
Title: Ark: unintended execution of scripts and executable files
Risk Rating: Important
CVE: CVE-2017-5330
Versions: ark >= 15.12
Author: Elvis Angelaccio <elvis.angelaccio@kde.org>
Date: 12 January 2017
Overview
========
Through a (possibly malicious) tar archive that contains an
executable shell script or binary, it was possible to execute
arbitrary code on target machines.
KRun::runUrl() has a runExecutable argument which defaults to true.
Ark was using this default value and was also not checking
whether an extracted file was executable before passing it to the
runUrl() function.
Impact
======
An attacker can send legitimate tar archives with executable scripts or
binaries disguised as normal files (say, with README or LICENSE as filenames).
The attacker then can trick a user to select those files and click
the Open button in the Ark toolbar, which triggers the affected code.
Workaround
==========
Don't use the File -> Open functionality of Ark.
You can still open archives (Archive->Open) and extract them.
Solution
========
Update to Ark >= 16.12.1
For older releases of Ark, apply the following patches:
Applications/16.08 branch: https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3
Applications/16.04 branch: https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776
Applications/15.12 branch: https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b
Credits
=======
Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for
fixing this issue. |
|
2017-01-20 03:44:32 |
Simon Quigley |
bug |
|
|
added subscriber Simon Quigley |
2017-01-20 14:19:26 |
Rik Mills |
ark (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-01-20 16:25:39 |
Emily Ratliff |
ark (Ubuntu Yakkety): status |
Confirmed |
In Progress |
|
2017-01-21 00:28:10 |
Launchpad Janitor |
ark (Ubuntu Yakkety): status |
In Progress |
Fix Released |
|
2017-01-21 00:28:11 |
Launchpad Janitor |
ark (Ubuntu Xenial): status |
Confirmed |
Fix Released |
|
2017-01-21 00:28:11 |
Launchpad Janitor |
cve linked |
|
2017-5530 |
|