In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory. References: https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd https://kde.org/info/security/advisory-20200827-1.txt https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Release has been packaged for a few weeks: commit d71f3d8fe0aa4787bd33dcce7d47de5612f12bb9 Author: Andreas Sturmlechner <asturm@gentoo.org> Date: Thu Sep 3 11:21:38 2020 +0200 kde-apps/ark: 20.08.1 version bump Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> create mode 100644 kde-apps/ark/ark-20.08.1.ebuild Maintainer, let us know when ready to stable.
ping? "Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases." if that's an issue.
Nope.
(In reply to Andreas Sturmlechner from comment #3) > Nope. Okay. Are you able to apply the patch to the earlier version then?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25fa2d93956341a938c84f2da5057b8fe2e259c commit f25fa2d93956341a938c84f2da5057b8fe2e259c Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-09-28 18:40:24 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-09-28 21:28:22 +0000 kde-apps/ark: Fix CVE-2020-24654 Bug: https://bugs.gentoo.org/743959 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> kde-apps/ark/ark-20.04.3-r2.ebuild | 84 ++++++++++++++++++++++ .../ark/files/ark-20.04.3-CVE-2020-24654.patch | 53 ++++++++++++++ 2 files changed, 137 insertions(+)
arm64 done
amd64 done
x86 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03e09ac68a85f54a4140fb025d61fef3e1f31755 commit 03e09ac68a85f54a4140fb025d61fef3e1f31755 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-04 08:43:35 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-04 15:54:07 +0000 kde-apps/ark: Cleanup vulnerable 20.04.3-r1 Bug: https://bugs.gentoo.org/743959 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> kde-apps/ark/ark-20.04.3-r1.ebuild | 85 -------------------------------------- 1 file changed, 85 deletions(-)
Unable to check for sanity: > no match for package: kde-apps/ark-20.04.3-r2
This issue was resolved and addressed in GLSA 202101-06 at https://security.gentoo.org/glsa/202101-06 by GLSA coordinator Sam James (sam_c).