KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.

The attachment "debdiff/patch for focal. Directly backportable to earlier variants" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

This bug was fixed in the package ark - 4:20.04.3-1

---------------
ark (4:20.04.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * Backport upstream commit 0df592524fed305d6fbe74ddf8a196bc9ffdb92f to fix
    vulnerability to path traversal attacks (CVE-2020-16116); patch
    upstream_Fix-vulnerability-to-path-traversal-attacks.patch.
  * CI: disable build path variations, as not well handled with ark by the
    current toolchain.
  * Add Rules-Requires-Root: no.
  * Change an internal hostname of an old Ubuntu changelog entry to
    <email address hidden> to avoid lintian issues.

 -- Pino Toscano <email address hidden> Thu, 30 Jul 2020 17:11:50 +0200

Sorry, but I could not get the update by using apt-get update & upgrade

http://archive.ubuntu.com/ubuntu/dists/focal-updates/universe/binary-amd64/Packages.gz

and

http://archive.ubuntu.com/ubuntu/dists/focal-updates/universe/binary-amd64/Packages.xz

does not announce the update...

Rik only pushed an update for 20.10 Beta i.e groovy as he only has access to the development version.

For the LTS release 20.04, the patch has not been released as it can only be pushed by the Ubuntu security team or the release sponsors team.

I have just now added the ubuntu-security sponsors to this bugs subscription list as this bug seems to have missed their queue.

thx for quick response and explanation!

(to exclude an error on my side I made some research and learned a lot about the "apt-get" update process)

Thanks for preparing the debdiff and adding the ubuntu-security-sponsors account; I'll be taking a look at this.

I've pushed the focal version to the ubuntu security proposed ppa (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa) after adjusting the version to match the versioning scheme described at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging and tweaking the changelog message.

I don't suppose upstream added any tests to verify correct behavior?

Upstream has included the below test archive in the original advisory. Upon trying to open the test archive in ark, a warning will show below the menu bar.

Proof of concept
================

For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip

I have tested steve's focal build from security-proposed and was able to succesfully validate the fix i.e. warning for the PoC.

I have attached a screenshot of the warning when trying to open the PoC

vishnunaini, thanks for testing and the pointer to the reproducer.

I also went ahead and carried back the patch to bionic's ark as well, and have uploaded it to the same ppa.

For xenial, the patch fails to apply because the passed archive entry type is different, and it was not clear to me whether the older version of the type contained an equivalent way to get access to the result of the fullPath() method call.

Code went through a major refactor after xenial to integrate with updated Qt. See https://phabricator.kde.org/T2704

The refactor for this function was

-void Job::onEntry(const ArchiveEntry & archiveEntry)
+void Job::onEntry(Archive::Entry *entry)
 {
- emit newEntry(archiveEntry);
+ emit newEntry(entry);
 }

I tried to backport it to xenial but to no avail.
There are too many function changes

The ArchievEntry->fullPath() doesn't work because archiveinterface.h doesn't exist.
backporting archiveinterfac.h will require a lot of refactor in the entire code

I am not familiar with the code to rewrite the actual patch itself instead of refactoring

Even debian doesn't seem to have backported it. It seems difficult for anyone who is not familiar with the upstream structure.

This was addressed in bionic in https://launchpad.net/ubuntu/+source/ark/4:17.12.3-0ubuntu1.1 and focal in https://launchpad.net/ubuntu/+source/ark/4:19.12.3-0ubuntu1.1, and covered in USN 4461-1.

Thanks for preparing the updates and helping to protect users, vishnunaini!