[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
Rik only pushed an update for 20.10 Beta i.e groovy as he only has access to the development version. For the LTS release 20.04, the patch has not been released as it can only be pushed by the Ubuntu security team or the release sponsors team. I have just now added the ubuntu-security sponsors to this bugs subscription list as this bug seems to have missed their queue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
Upstream has included the below test archive in the original advisory. Upon trying to open the test archive in ark, a warning will show below the menu bar. Proof of concept For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
I have tested steve's focal build from security-proposed and was able to succesfully validate the fix i.e. warning for the PoC. I have attached a screenshot of the warning when trying to open the PoC ** Attachment added: "ark_fix_test.png" https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+attachment/5399333/+files/ark_fix_test.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
** Attachment removed: "ark_fix_test.png" https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+attachment/5399333/+files/ark_fix_test.png -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to ark in Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
Code went through a major refactor after xenial to integrate with
updated Qt. See https://phabricator.kde.org/T2704
The refactor for this function was
-void Job::onEntry(const ArchiveEntry & archiveEntry)
+void Job::onEntry(Archive::Entry *entry)
{
-emit newEntry(archiveEntry);
+emit newEntry(entry);
}
I tried to backport it to xenial but to no avail.
There are too many function changes
The ArchievEntry->fullPath() doesn't work because archiveinterface.h doesn't
exist.
backporting archiveinterfac.h will require a lot of refactor in the entire code
I am not familiar with the code to rewrite the actual patch itself
instead of refactoring
Even debian doesn't seem to have backported it. It seems difficult for
anyone who is not familiar with the upstream structure.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889672
Title:
KDE Project Security Advisory: Ark: maliciously crafted archive can
install files outside the extraction directory.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1668552] Re: KDE Project Security Advisory: ktnef: Directory Traversal
debdiff for yakkety is included in the attachment. ** Attachment added: "yakkety-debdiff" https://bugs.launchpad.net/ubuntu/+source/ktnef/+bug/1668552/+attachment/4828791/+files/yakkety-debdiff ** Changed in: ktnef (Ubuntu Xenial) Status: New => Confirmed ** Changed in: ktnef (Ubuntu Yakkety) Status: New => Confirmed -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepim in Ubuntu. https://bugs.launchpad.net/bugs/1668552 Title: KDE Project Security Advisory: ktnef: Directory Traversal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1668552/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1668552] Re: KDE Project Security Advisory: ktnef: Directory Traversal
Xenial is in kdepim not ktnef. ** Changed in: ktnef (Ubuntu Xenial) Status: Confirmed => New -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepim in Ubuntu. https://bugs.launchpad.net/bugs/1668552 Title: KDE Project Security Advisory: ktnef: Directory Traversal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1668552/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file
Added kio-yakkety-debdiff.patch ** Changed in: kde4libs (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: kio (Ubuntu Yakkety) Status: New => Confirmed ** Patch added: "kio-yakkety-debdiff.patch" https://bugs.launchpad.net/ubuntu/+source/kio/+bug/1668871/+attachment/4828810/+files/kio-yakkety-debdiff.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668871 Title: kio: Information Leak when accessing https when using a malicious PAC file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file
Added kde4libs-yakkety-debdiff.patch ** Patch added: "kde4libs-yakkety-debdiff.patch" https://bugs.launchpad.net/ubuntu/+source/kio/+bug/1668871/+attachment/4828811/+files/kde4libs-yakkety-debdiff.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668871 Title: kio: Information Leak when accessing https when using a malicious PAC file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file
Why did the kde4libs amd64 build in ubuntu-security-proposed fail? It built fine in my ppa. my ppa: https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+packages https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+build/12070850 ubuntu-security-proposed build: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+build/12071418 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668871 Title: kio: Information Leak when accessing https when using a malicious PAC file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1668552] Re: KDE Project Security Advisory: ktnef: Directory Traversal
debdiff for ktnef in xenial is attached. kdepim also needs to patched both in xenial and trusty. ** Attachment added: "ktnef-xenial-debdiff" https://bugs.launchpad.net/ubuntu/+source/ktnef/+bug/1668552/+attachment/4829858/+files/ktnef-xenial-debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668552 Title: KDE Project Security Advisory: ktnef: Directory Traversal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1668552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1668552] Re: KDE Project Security Advisory: ktnef: Directory Traversal
I cannot make debdiffs' for kdepim as I am not sure if the patch is compatible. Someone familiar with the code should patch it. ** Changed in: ktnef (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668552 Title: KDE Project Security Advisory: ktnef: Directory Traversal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1668552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1641700] Re: untrusted code execution using NES music file play using gstreamer NES CPU emulation CESA-2016-0001
I am not going to touch the code myself but I will post a debdiff if upstream debian updates it in wheezy. But I still request the security team to look at it because this problem exists in a default install and also could compromise the system by just opening nautilus. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1641700 Title: untrusted code execution using NES music file play using gstreamer NES CPU emulation CESA-2016-0001 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gst-plugins-bad0.10/+bug/1641700/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1641380] Re: chromium-browser: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for Symantec certs
This is not a bug with chrome. It is a bug with symantec's certificate issuance systems. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1641380 Title: chromium-browser: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED for Symantec certs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1641380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file
debdiff for kde4libs in xenial is attached. ** Attachment added: "kde4libs-xenial-debdiff" https://bugs.launchpad.net/ubuntu/+source/kio/+bug/1668871/+attachment/4829903/+files/kde4libs-xenial-debdiff ** Changed in: kio (Ubuntu Xenial) Status: New => Confirmed ** Changed in: kde4libs (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668871 Title: kio: Information Leak when accessing https when using a malicious PAC file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file
debdiff for kio in xenial is attached. ** Attachment added: "kio-xenial-debdiff" https://bugs.launchpad.net/ubuntu/+source/kio/+bug/1668871/+attachment/4829901/+files/kio-xenial-debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668871 Title: kio: Information Leak when accessing https when using a malicious PAC file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file
** Changed in: kde4libs (Ubuntu Zesty) Status: New => Confirmed ** Changed in: kio (Ubuntu Zesty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668871 Title: kio: Information Leak when accessing https when using a malicious PAC file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2017-6410 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1668871 Title: kio: Information Leak when accessing https when using a malicious PAC file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1638922] [NEW] tar : CVE-2016-6321 not patched in stable
Public bug reported: CVE-2016-6321 path name extract bypass vulnerability is not patched in stable releases of yakkety, xenial and other supported releases. The maintainer appears to have only pushed the patch to zesty proposed. Please push the patch for the stable releases as this bug could have seroius implications in certain environments. Upstream debian has already pushed the patch to stable. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842339 https://people.canonical.com/~ubuntu- security/cve/2016/CVE-2016-6321.html ** Affects: tar (Ubuntu) Importance: Undecided Status: New ** Tags: cve-2016-6321 needs-packaging patch-accepted-upstream ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6321 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1638922 Title: tar : CVE-2016-6321 not patched in stable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1638922/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1638922] Re: [needs-packaging] tar : CVE-2016-6321 not patched in stable
I removed the needs-packaging tag. Wasn't aware that it is only for new packages. ** Tags removed: needs-packaging -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1638922 Title: [needs-packaging] tar : CVE-2016-6321 not patched in stable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1638922/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1893465] [NEW] KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
*** This bug is a security vulnerability *** Public security bug reported: I have included a debdiff imported from upstream for the below security advisory for ark. I have tested the patch in ppa with the sample archive issued in the advisory and can confirm it works without any noticeable issues. KDE Project Security Advisory = Title: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory. Risk Rating: Important CVE: CVE-2020-24654 Versions:ark <= 20.08.0 Author: Elvis Angelaccio Date:27 August 2020 Overview A maliciously crafted TAR archive containing symlink entries would install files anywhere in the user's home directory upon extraction. Proof of concept For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar Impact == Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart. Workaround == Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain symlink entries pointing outside the extraction folder. The 'Extract' context menu from the Dolphin file manager shouldn't be used. Solution Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives. Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases. Credits === Thanks to Fabian Vogt for reporting this issue and for fixing it. ** Affects: ark (Ubuntu) Importance: Undecided Status: New ** Patch added: "CVE-2020-24654-tar-symlinks-outside-extraction-directory.debdiff" https://bugs.launchpad.net/bugs/1893465/+attachment/5405512/+files/CVE-2020-24654-tar-symlinks-outside-extraction-directory.debdiff ** Information type changed from Private Security to Public Security ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24654 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1893465 Title: KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1893465/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1893465] Re: KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
All previous and current releases are possibly affected. The above debdiff is compatible with focal and bionic which are affected. Groovy can be updated to the latest upstream by the maintainer. The nature of impact of this bug on xenial is unknown as the code in xenial is very different and upstream hasn't detailed it. Ark went thorugh a significant refactor after xenial and the current upstream patches are incompatible. I'll try to evaluate and report back if the patch can be backported or if the bug even exists. -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to ark in Ubuntu. https://bugs.launchpad.net/bugs/1893465 Title: KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1893465/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1968287] Re: loopback addresses disappear after running "netplan apply" multiple times
** Changed in: netplan.io (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968287 Title: loopback addresses disappear after running "netplan apply" multiple times To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/1968287/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
