*** This bug is a security vulnerability ***

Public security bug reported:

I am including a debdiff for an upstream security bug in ark. I have tested it 
in focal with a succesful build in ppa. The link to a sample archive is 
available in the kde advisory at 
https://kde.org/info/security/advisory-20200730-1.txt
Upstream patch at: 
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f

Below is the original KDE project security advisory:

Albert Astals Cid <aa...@kde.org>
03:56 (18 hours ago)
to kde-announce

KDE Project Security Advisory
=============================

Title:           Ark: maliciously crafted archive can install files outside the 
extraction directory.
Risk Rating:     Important
CVE:             CVE-2020-16116
Versions:        ark <= 20.04.3
Author:          Elvis Angelaccio <elvis.angelac...@kde.org>
Date:            30 July 2020

Overview
========

A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.

Proof of concept
================

For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip

Impact
======

Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart

Workaround
==========

Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect 
it
to make sure it doesn't contain entries with "../" in the file path.

Solution
========

Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.

Alternatively,
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
can be applied to previous releases.

Credits
=======

Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.

** Affects: ark (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: patch

** Patch added: "debdiff/patch for focal. Directly backportable to earlier 
variants"
   
https://bugs.launchpad.net/bugs/1889672/+attachment/5397227/+files/001-CVE-2020-16116-maliciously-crafted-archive-can-install-files-outside-the-extraction-directory.patch

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889672

Title:
  KDE Project Security Advisory: Ark: maliciously crafted archive can
  install files outside the extraction directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to