group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1893465] Re: KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Eduardo Barretto <1893465@xxxxxxxxxxxxxxxxxx>
Date: Tue, 01 Sep 2020 15:04:07 -0000
Reply-to: Bug 1893465 <1893465@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: ark (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: ark (Ubuntu Xenial)
     Assignee: (unassigned) => Eduardo Barretto (ebarretto)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1893465

Title:
  KDE Project Security Advisory: Ark: maliciously crafted TAR archive
  with symlinks can install files outside the extraction directory.

Status in ark package in Ubuntu:
  Fix Released
Status in ark source package in Xenial:
  New
Status in ark source package in Bionic:
  New
Status in ark source package in Focal:
  New
Status in ark source package in Groovy:
  Fix Released

Bug description:
  I have included a debdiff imported from upstream for the below
  security advisory for ark.

  I have tested the patch in ppa with the sample archive issued in the
  advisory and can confirm it works without any noticeable issues.


  KDE Project Security Advisory
  =============================

  Title:           Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
  Risk Rating:     Important
  CVE:             CVE-2020-24654
  Versions:        ark <= 20.08.0
  Author:          Elvis Angelaccio <elvis.angelaccio@xxxxxxx>
  Date:            27 August 2020

  Overview
  ========

  A maliciously crafted TAR archive containing symlink entries
  would install files anywhere in the user's home directory upon extraction.

  Proof of concept
  ================

  For testing, an example of malicious archive can be found at
  https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar

  Impact
  ======

  Users can unwillingly install files like a modified .bashrc, or a malicious
  script placed in ~/.config/autostart.

  Workaround
  ==========

  Before extracting a downloaded archive using the Ark GUI, users should inspect it
  to make sure it doesn't contain symlink entries pointing outside the extraction folder.

  The 'Extract' context menu from the Dolphin file manager shouldn't be
  used.

  Solution
  ========

  Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR
  archives.

  Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous
  releases.

  
  Credits
  =======

  Thanks to Fabian Vogt for reporting this issue and for fixing it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1893465/+subscriptions