Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 743959 (CVE-2020-24654)

Summary: <kde-apps/ark-20.04.3-r2: crafted TAR archive with symlinks can install files outside the extraction directory (CVE-2020-24654)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ajak
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check-
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
kde-apps/ark-20.04.3-r2
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2020-09-21 13:56:35 UTC
In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.

References:
https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
https://kde.org/info/security/advisory-20200827-1.txt
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 John Helmert III gentoo-dev Security 2020-09-21 14:08:46 UTC
Release has been packaged for a few weeks:

commit d71f3d8fe0aa4787bd33dcce7d47de5612f12bb9
Author: Andreas Sturmlechner <asturm@gentoo.org>
Date:   Thu Sep 3 11:21:38 2020 +0200

    kde-apps/ark: 20.08.1 version bump

    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 create mode 100644 kde-apps/ark/ark-20.08.1.ebuild



Maintainer, let us know when ready to stable.
Comment 2 Sam James archtester gentoo-dev Security 2020-09-25 20:48:51 UTC
ping?

"Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous
releases." if that's an issue.
Comment 3 Andreas Sturmlechner gentoo-dev 2020-09-28 21:32:35 UTC
Nope.
Comment 4 Sam James archtester gentoo-dev Security 2020-09-28 21:33:21 UTC
(In reply to Andreas Sturmlechner from comment #3)
> Nope.

Okay. Are you able to apply the patch to the earlier version then?
Comment 5 Larry the Git Cow gentoo-dev 2020-09-28 21:33:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25fa2d93956341a938c84f2da5057b8fe2e259c

commit f25fa2d93956341a938c84f2da5057b8fe2e259c
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-09-28 18:40:24 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-09-28 21:28:22 +0000

    kde-apps/ark: Fix CVE-2020-24654
    
    Bug: https://bugs.gentoo.org/743959
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/ark/ark-20.04.3-r2.ebuild                 | 84 ++++++++++++++++++++++
 .../ark/files/ark-20.04.3-CVE-2020-24654.patch     | 53 ++++++++++++++
 2 files changed, 137 insertions(+)
Comment 6 Sam James archtester gentoo-dev Security 2020-09-29 18:45:06 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2020-10-02 19:57:13 UTC
amd64 done
Comment 8 Sam James archtester gentoo-dev Security 2020-10-02 21:34:14 UTC
x86 done

all arches done
Comment 9 Sam James archtester gentoo-dev Security 2020-10-02 23:32:59 UTC
Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2020-10-04 16:07:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03e09ac68a85f54a4140fb025d61fef3e1f31755

commit 03e09ac68a85f54a4140fb025d61fef3e1f31755
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-04 08:43:35 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-04 15:54:07 +0000

    kde-apps/ark: Cleanup vulnerable 20.04.3-r1
    
    Bug: https://bugs.gentoo.org/743959
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/ark/ark-20.04.3-r1.ebuild | 85 --------------------------------------
 1 file changed, 85 deletions(-)
Comment 11 NATTkA bot gentoo-dev 2020-11-25 18:17:53 UTC
Unable to check for sanity:

> no match for package: kde-apps/ark-20.04.3-r2
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-01-11 09:16:58 UTC
This issue was resolved and addressed in
 GLSA 202101-06 at https://security.gentoo.org/glsa/202101-06
by GLSA coordinator Sam James (sam_c).