Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 734622 (CVE-2020-16116) - <kde-apps/ark-20.04.3-r1: Arbitrary file overwrite via malicious archives (CVE-2020-16116)
Summary: <kde-apps/ark-20.04.3-r1: Arbitrary file overwrite via malicious archives (CV...
Status: RESOLVED FIXED
Alias: CVE-2020-16116
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://kde.org/info/security/advisor...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-29 22:36 UTC by John Helmert III
Modified: 2020-08-08 04:24 UTC (History)
0 users

See Also:
Package list:
kde-apps/ark-20.04.3-r1
Runtime testing required: ---
nattka: sanity-check+

Attachments
CVE-2020-16116 patch (ark-path-traversal-CVE-2020-16116.patch,689 bytes, patch)
2020-07-31 02:33 UTC, kevinmbecause 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 22:36:26 UTC 
From URL:


Overview
========

A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.

Solution
========

Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.

Alternatively,
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
can be applied to previous releases.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 22:37:03 UTC 
Maintainer, please apply the patch to our version.
Comment 2 kevinmbecause 2020-07-31 02:33:26 UTC 
Created attachment 651734 [details, diff]
CVE-2020-16116 patch

As a temporary fix, here is a patch to put in /etc/portage/patches/kde-apps/ark/ which applies the commit linked above.
Comment 3 Larry the Git Cow gentoo-dev 2020-08-01 22:57:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55a42a5c7060468e5406884bfa4294b3cdc824c7

commit 55a42a5c7060468e5406884bfa4294b3cdc824c7
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-08-01 15:41:53 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-08-01 22:57:17 +0000

    kde-apps/ark: Fix CVE-2020-16116
    
    Bug: https://bugs.gentoo.org/734622
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/ark/ark-20.04.3-r1.ebuild                 | 85 ++++++++++++++++++++++
 .../ark/files/ark-20.04.3-CVE-2020-16116.patch     | 46 ++++++++++++
 2 files changed, 131 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-01 23:39:56 UTC 
Thanks. Tell us when ready to stable.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-03 04:50:35 UTC 
Is that a yes? ;)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-04 00:31:49 UTC 
arm64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-08-05 13:58:24 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-08-05 14:26:55 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Larry the Git Cow gentoo-dev 2020-08-06 15:04:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a51a70967106f46cf55b16b9209947481133c90

commit 6a51a70967106f46cf55b16b9209947481133c90
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-08-05 14:29:19 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-08-06 15:04:35 +0000

    kde-apps/ark: Drop vulnerable 20.04.3 (r0)
    
    Bug: https://bugs.gentoo.org/734622
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/ark/ark-20.04.3.ebuild | 83 -----------------------------------------
 1 file changed, 83 deletions(-)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-06 19:41:10 UTC 
Thanks. Cleanup done.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-08-08 04:24:33 UTC 
This issue was resolved and addressed in
 GLSA 202008-03 at https://security.gentoo.org/glsa/202008-03
by GLSA coordinator Sam James (sam_c).