https://bugs.kde.org/show_bug.cgi?id=450134
Bug ID: 450134
Summary: Opening an archive containing a directory with a name
ending in ".." fails with an error message.
Product: ark
Version: 19.12.3
Platform: Kubuntu Packages
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: elvis.angelac...@kde.org
Reporter: deepfried...@gmail.com
CC: aa...@kde.org, rthoms...@gmail.com
Target Milestone: ---
Created attachment 146659
--> https://bugs.kde.org/attachment.cgi?id=146659&action=edit
Example failing file.
SUMMARY
Opening an archive containing a directory with a name ending in ".." fails with
an error message.
STEPS TO REPRODUCE
1. mkdir 'test..'
2. touch 'test../foo'
3. tar -cf 'test.tar' 'test..'
4. ark 'test.tar'
OBSERVED RESULT
The message: 'ark.kerfuffle: Possibly malicious archive. Detected entry that
could lead to a directory traversal attack: "test../foo"' is printed on stdout.
An Ark window is shown, containing the error message: ''Loading the archive
<REMOVED>/test.tar failed with the following error:
Could not load the archive because it contains ill-formed entries and might be
a malicious archive.".
EXPECTED RESULT
The archive contents are shown in the window normally.
SOFTWARE/OS VERSIONS
Operating System: Kubuntu 20.04
KDE Plasma Version: 5.18.5
KDE Frameworks Version: 5.68.0
Qt Version: 5.12.8
Kernel Version: 5.4.0-96-generic
OS Type: 64-bit
ADDITIONAL INFORMATION
This appears to be be caused by:
https://invent.kde.org/utilities/ark/-/blob/master/kerfuffle/jobs.cpp#L164
I believe this code is intended to prevent directory traversal attacks by
detecting if the archive contains any directory named "..". However, it
actually detects if any directory name ends with "..".
--
You are receiving this mail because:
You are watching all bug changes.
