group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1893465] Re: KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1893465@xxxxxxxxxxxxxxxxxx>
Date: Tue, 01 Sep 2020 19:43:23 -0000
Reply-to: Bug 1893465 <1893465@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package ark - 4:17.12.3-0ubuntu1.2

---------------
ark (4:17.12.3-0ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: maliciously crafted TAR archive with symlinks can
    install files outside the extraction directory. (LP: #1893465)
    - 002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch
    - CVE-2020-24654
    - Thanks to Fabian Vogt for reporting this issue and for fixing it.

 -- vishnunaini <vishnu@xxxxxxxxxxxxxxx>  Fri, 28 Aug 2020 22:12:54
+0530

** Changed in: ark (Ubuntu Bionic)
       Status: New => Fix Released

** Changed in: ark (Ubuntu Focal)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1893465

Title:
  KDE Project Security Advisory: Ark: maliciously crafted TAR archive
  with symlinks can install files outside the extraction directory.

Status in ark package in Ubuntu:
  Fix Released
Status in ark source package in Xenial:
  Fix Released
Status in ark source package in Bionic:
  Fix Released
Status in ark source package in Focal:
  Fix Released
Status in ark source package in Groovy:
  Fix Released

Bug description:
  I have included a debdiff imported from upstream for the below
  security advisory for ark.

  I have tested the patch in ppa with the sample archive issued in the
  advisory and can confirm it works without any noticeable issues.


  KDE Project Security Advisory
  =============================

  Title:           Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
  Risk Rating:     Important
  CVE:             CVE-2020-24654
  Versions:        ark <= 20.08.0
  Author:          Elvis Angelaccio <elvis.angelaccio@xxxxxxx>
  Date:            27 August 2020

  Overview
  ========

  A maliciously crafted TAR archive containing symlink entries
  would install files anywhere in the user's home directory upon extraction.

  Proof of concept
  ================

  For testing, an example of malicious archive can be found at
  https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar

  Impact
  ======

  Users can unwillingly install files like a modified .bashrc, or a malicious
  script placed in ~/.config/autostart.

  Workaround
  ==========

  Before extracting a downloaded archive using the Ark GUI, users should inspect it
  to make sure it doesn't contain symlink entries pointing outside the extraction folder.

  The 'Extract' context menu from the Dolphin file manager shouldn't be
  used.

  Solution
  ========

  Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR
  archives.

  Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous
  releases.

  
  Credits
  =======

  Thanks to Fabian Vogt for reporting this issue and for fixing it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1893465/+subscriptions