*** This bug is a security vulnerability *** Public security bug reported:
I am including a debdiff for an upstream security bug in ark. I have tested it in focal with a succesful build in ppa. The link to a sample archive is available in the kde advisory at https://kde.org/info/security/advisory-20200730-1.txt Upstream patch at: https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f Below is the original KDE project security advisory: Albert Astals Cid <aa...@kde.org> 03:56 (18 hours ago) to kde-announce KDE Project Security Advisory ============================= Title: Ark: maliciously crafted archive can install files outside the extraction directory. Risk Rating: Important CVE: CVE-2020-16116 Versions: ark <= 20.04.3 Author: Elvis Angelaccio <elvis.angelac...@kde.org> Date: 30 July 2020 Overview ======== A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction. Proof of concept ================ For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip Impact ====== Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart Workaround ========== Users should not use the 'Extract' context menu from the Dolphin file manager. Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain entries with "../" in the file path. Solution ======== Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users. Alternatively, https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f can be applied to previous releases. Credits ======= Thanks to Dominik Penner for finding and reporting this issue and thanks to Elvis Angelaccio and Albert Astals Cid for fixing it. ** Affects: ark (Ubuntu) Importance: Undecided Status: New ** Tags: patch ** Patch added: "debdiff/patch for focal. Directly backportable to earlier variants" https://bugs.launchpad.net/bugs/1889672/+attachment/5397227/+files/001-CVE-2020-16116-maliciously-crafted-archive-can-install-files-outside-the-extraction-directory.patch ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
