Summary: | <kde-apps/ark-20.04.3-r2: crafted TAR archive with symlinks can install files outside the extraction directory (CVE-2020-24654) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ajak |
Priority: | Normal | Keywords: | CC-ARCHES |
Version: | unspecified | Flags: | nattka:
sanity-check-
|
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
kde-apps/ark-20.04.3-r2
|
Runtime testing required: | --- |
Description
Agostino Sarubbo
2020-09-21 13:56:35 UTC
Release has been packaged for a few weeks: commit d71f3d8fe0aa4787bd33dcce7d47de5612f12bb9 Author: Andreas Sturmlechner <asturm@gentoo.org> Date: Thu Sep 3 11:21:38 2020 +0200 kde-apps/ark: 20.08.1 version bump Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> create mode 100644 kde-apps/ark/ark-20.08.1.ebuild Maintainer, let us know when ready to stable. ping? "Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases." if that's an issue. Nope. (In reply to Andreas Sturmlechner from comment #3) > Nope. Okay. Are you able to apply the patch to the earlier version then? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25fa2d93956341a938c84f2da5057b8fe2e259c commit f25fa2d93956341a938c84f2da5057b8fe2e259c Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-09-28 18:40:24 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-09-28 21:28:22 +0000 kde-apps/ark: Fix CVE-2020-24654 Bug: https://bugs.gentoo.org/743959 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> kde-apps/ark/ark-20.04.3-r2.ebuild | 84 ++++++++++++++++++++++ .../ark/files/ark-20.04.3-CVE-2020-24654.patch | 53 ++++++++++++++ 2 files changed, 137 insertions(+) arm64 done amd64 done x86 done all arches done Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03e09ac68a85f54a4140fb025d61fef3e1f31755 commit 03e09ac68a85f54a4140fb025d61fef3e1f31755 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-04 08:43:35 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-04 15:54:07 +0000 kde-apps/ark: Cleanup vulnerable 20.04.3-r1 Bug: https://bugs.gentoo.org/743959 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> kde-apps/ark/ark-20.04.3-r1.ebuild | 85 -------------------------------------- 1 file changed, 85 deletions(-) Unable to check for sanity:
> no match for package: kde-apps/ark-20.04.3-r2
This issue was resolved and addressed in GLSA 202101-06 at https://security.gentoo.org/glsa/202101-06 by GLSA coordinator Sam James (sam_c). |