Opened 3 years ago

Closed 2 years ago

#13654 closed enhancement (fixed)

kf5-apps kwave kate 20.08.0

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: normal Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:


New April 2020 version of kf5-apps.

Change History (5)

comment:1 by Douglas R. Reno, 2 years ago

This one is for ark

KDE Project Security Advisory

Title:           Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating:     Important
CVE:             CVE-2020-16116
Versions:        ark <= 20.04.3
Author:          Elvis Angelaccio <>
Date:            30 July 2020


A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.

Proof of concept

For testing, an example of malicious archive can be found at


Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart


Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain entries with "../" in the file path.


Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.

can be applied to previous releases.


Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.

in reply to:  1 comment:2 by Bruce Dubbs, 2 years ago

Replying to renodr:

Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users.

kde-apps 20.08.0 is due on Aug 13. I will be updating then.

comment:3 by Bruce Dubbs, 2 years ago

Milestone: hold10.0
Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned
Summary: kf5-apps kwave kate 20,04.1 (Hold until August)kf5-apps kwave kate 20,08.0

comment:4 by Bruce Dubbs, 2 years ago

Summary: kf5-apps kwave kate 20,08.0kf5-apps kwave kate 20.08.0

comment:5 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 23603.

Note: See TracTickets for help on using tickets.