#13654 closed enhancement (fixed)

kf5-apps kwave kate 20.08.0

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: normal Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New April 2020 version of kf5-apps.

Change History (5)

comment:1 by Douglas R. Reno, 14 months ago

This one is for ark

KDE Project Security Advisory
=============================

Title:           Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating:     Important
CVE:             CVE-2020-16116
Versions:        ark <= 20.04.3
Author:          Elvis Angelaccio <elvis.angelaccio@kde.org>
Date:            30 July 2020

Overview
========

A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.

Proof of concept
================

For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip

Impact
======

Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart

Workaround
==========

Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain entries with "../" in the file path.

Solution
========

Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.

Alternatively,
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
can be applied to previous releases.

Credits
=======

Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.

in reply to:  1 comment:2 by Bruce Dubbs, 14 months ago

Replying to renodr:

Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users.

kde-apps 20.08.0 is due on Aug 13. I will be updating then.

comment:3 by Bruce Dubbs, 14 months ago

Milestone: hold10.0
Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned
Summary: kf5-apps kwave kate 20,04.1 (Hold until August)kf5-apps kwave kate 20,08.0

comment:4 by Bruce Dubbs, 14 months ago

Summary: kf5-apps kwave kate 20,08.0kf5-apps kwave kate 20.08.0

comment:5 by Bruce Dubbs, 13 months ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 23603.

Note: See TracTickets for help on using tickets.