From URL: Overview ======== A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction. Solution ======== Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users. Alternatively, https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f can be applied to previous releases.
Maintainer, please apply the patch to our version.
Created attachment 651734 [details, diff] CVE-2020-16116 patch As a temporary fix, here is a patch to put in /etc/portage/patches/kde-apps/ark/ which applies the commit linked above.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55a42a5c7060468e5406884bfa4294b3cdc824c7 commit 55a42a5c7060468e5406884bfa4294b3cdc824c7 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-08-01 15:41:53 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-08-01 22:57:17 +0000 kde-apps/ark: Fix CVE-2020-16116 Bug: https://bugs.gentoo.org/734622 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> kde-apps/ark/ark-20.04.3-r1.ebuild | 85 ++++++++++++++++++++++ .../ark/files/ark-20.04.3-CVE-2020-16116.patch | 46 ++++++++++++ 2 files changed, 131 insertions(+)
Thanks. Tell us when ready to stable.
Is that a yes? ;)
arm64 stable
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a51a70967106f46cf55b16b9209947481133c90 commit 6a51a70967106f46cf55b16b9209947481133c90 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-08-05 14:29:19 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-08-06 15:04:35 +0000 kde-apps/ark: Drop vulnerable 20.04.3 (r0) Bug: https://bugs.gentoo.org/734622 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> kde-apps/ark/ark-20.04.3.ebuild | 83 ----------------------------------------- 1 file changed, 83 deletions(-)
Thanks. Cleanup done.
This issue was resolved and addressed in GLSA 202008-03 at https://security.gentoo.org/glsa/202008-03 by GLSA coordinator Sam James (sam_c).