Ubuntu
ark package

  1. Xenial (16.04)
  2. Bug #1655507
  3. Activity log

Activity log for bug #1655507

Date Who What changed Old value New value Message
2017-01-11 00:18:09 Rik Mills bug added bug
2017-01-11 00:18:36 Rik Mills bug added subscriber Clive Johnston
2017-01-11 00:18:50 Rik Mills bug added subscriber Philip Muškovac
2017-01-11 00:34:45 Clive Johnston nominated for series Ubuntu Zesty
2017-01-11 00:34:45 Clive Johnston bug task added ark (Ubuntu Zesty)
2017-01-11 00:34:45 Clive Johnston nominated for series Ubuntu Xenial
2017-01-11 00:34:45 Clive Johnston bug task added ark (Ubuntu Xenial)
2017-01-11 00:34:45 Clive Johnston nominated for series Ubuntu Yakkety
2017-01-11 00:34:45 Clive Johnston bug task added ark (Ubuntu Yakkety)
2017-01-11 00:34:59 Clive Johnston ark (Ubuntu Xenial): importance Undecided High
2017-01-11 00:35:03 Clive Johnston ark (Ubuntu Yakkety): importance Undecided High
2017-01-11 00:35:10 Clive Johnston ark (Ubuntu Zesty): importance Undecided Medium
2017-01-11 00:55:18 Seth Arnold ark (Ubuntu): status New Incomplete
2017-01-11 00:55:19 Seth Arnold ark (Ubuntu Xenial): status New Incomplete
2017-01-11 00:55:20 Seth Arnold ark (Ubuntu Yakkety): status New Incomplete
2017-01-11 00:56:10 Seth Arnold information type Private Security Public Security
2017-01-11 17:02:50 Clive Johnston attachment added ark_15.12.3-0ubuntu1.1.debdiff https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4802947/+files/ark_15.12.3-0ubuntu1.1.debdiff
2017-01-11 20:31:01 Ubuntu Foundations Team Bug Bot tags patch
2017-01-17 08:41:20 vishnunaini attachment added debdiff-yakkety https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4805298/+files/debdiff
2017-01-17 08:53:30 vishnunaini cve linked 2017-5330
2017-01-17 08:54:17 vishnunaini ark (Ubuntu Xenial): status Incomplete Confirmed
2017-01-17 08:54:26 vishnunaini ark (Ubuntu Yakkety): status Incomplete Confirmed
2017-01-17 08:54:29 vishnunaini ark (Ubuntu Zesty): status Incomplete Confirmed
2017-01-17 09:04:26 vishnunaini bug added subscriber Marc Deslauriers
2017-01-17 12:36:13 Marc Deslauriers bug added subscriber Ubuntu Security Sponsors Team
2017-01-18 22:25:44 vishnunaini attachment added debdiff.patch https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4806031/+files/debdiff.patch
2017-01-20 03:42:42 Simon Quigley ark (Ubuntu Zesty): status Confirmed Fix Committed
2017-01-20 03:44:21 Simon Quigley description KDE Project Security Advisory ============================= Title: Ark: unintended execution of scripts and executable files Risk Rating: Important CVE: TODO Platforms: TODO Versions: ark >= 15.12 Author: Elvis Angelaccio <elvis.angelaccio@kde.org> Date: TODO Overview ======== Through a (possibly malicious) tar archive that contains an executable shell script or binary, it was possible to execute arbitrary code on target machines. KRun::runUrl() has a runExecutable argument which defaults to true. Ark was using this default value and was also not checking whether an extracted file was executable before passing it to the runUrl() function. Impact ====== An attacker can send legitimate tar archives with executable scripts or binaries disguised as normal files (say, with README or LICENSE as filenames). The attacker then can trick a user to select those files and click the Open button in the Ark toolbar, which triggers the affected code. Workaround ========== Don't use the Open functionality of Ark. Solution ======== Update to Ark >= 16.12.1 For older releases of Ark, apply the following patches: Applications/16.08 branch: https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3 Applications/16.04 branch: https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776 Applications/15.12 branch: https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b Credits ======= Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for fixing this issue. KDE Project Security Advisory ============================= Title: Ark: unintended execution of scripts and executable files Risk Rating: Important CVE: CVE-2017-5330 Versions: ark >= 15.12 Author: Elvis Angelaccio <elvis.angelaccio@kde.org> Date: 12 January 2017 Overview ======== Through a (possibly malicious) tar archive that contains an executable shell script or binary, it was possible to execute arbitrary code on target machines. KRun::runUrl() has a runExecutable argument which defaults to true. Ark was using this default value and was also not checking whether an extracted file was executable before passing it to the runUrl() function. Impact ====== An attacker can send legitimate tar archives with executable scripts or binaries disguised as normal files (say, with README or LICENSE as filenames). The attacker then can trick a user to select those files and click the Open button in the Ark toolbar, which triggers the affected code. Workaround ========== Don't use the File -> Open functionality of Ark. You can still open archives (Archive->Open) and extract them. Solution ======== Update to Ark >= 16.12.1 For older releases of Ark, apply the following patches: Applications/16.08 branch: https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3 Applications/16.04 branch: https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776 Applications/15.12 branch: https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b Credits ======= Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for fixing this issue.
2017-01-20 03:44:32 Simon Quigley bug added subscriber Simon Quigley
2017-01-20 14:19:26 Rik Mills ark (Ubuntu Zesty): status Fix Committed Fix Released
2017-01-20 16:25:39 Emily Ratliff ark (Ubuntu Yakkety): status Confirmed In Progress
2017-01-21 00:28:10 Launchpad Janitor ark (Ubuntu Yakkety): status In Progress Fix Released
2017-01-21 00:28:11 Launchpad Janitor ark (Ubuntu Xenial): status Confirmed Fix Released
2017-01-21 00:28:11 Launchpad Janitor cve linked 2017-5530