diff -Nru ark-17.12.3/debian/changelog ark-17.12.3/debian/changelog --- ark-17.12.3/debian/changelog 2020-07-30 17:40:55.000000000 +0000 +++ ark-17.12.3/debian/changelog 2020-08-28 16:42:54.000000000 +0000 @@ -1,3 +1,13 @@ +ark (4:17.12.3-0ubuntu1.2) bionic-security; urgency=medium + + * SECURITY UPDATE: maliciously crafted TAR archive with symlinks can + install files outside the extraction directory. (LP: #1893465) + - 002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch + - CVE-2020-24654 + - Thanks to Fabian Vogt for reporting this issue and for fixing it. + + -- vishnunaini Fri, 28 Aug 2020 22:12:54 +0530 + ark (4:17.12.3-0ubuntu1.1) bionic-security; urgency=medium * SECURITY UPDATE: Ark: maliciously crafted archive can install diff -Nru ark-17.12.3/debian/patches/002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch ark-17.12.3/debian/patches/002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch --- ark-17.12.3/debian/patches/002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch 1970-01-01 00:00:00.000000000 +0000 +++ ark-17.12.3/debian/patches/002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch 2020-08-28 16:42:54.000000000 +0000 @@ -0,0 +1,58 @@ +Description: maliciously crafted TAR archive with symlinks can install files outside the extraction directory + - CVE-2020-24654 + - Thanks to Fabian Vogt for reporting this issue and for fixing it. + +Author: v.naini + +--- +Origin: upstream, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd +Bug: https://kde.org/info/security/advisory-20200827-1.txt +Bug-Debian: +Bug-Ubuntu: +Forwarded: +Reviewed-By: +Last-Update: 2020-08-28 +--- +From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Tue, 25 Aug 2020 22:14:37 +0200 +Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive + +There are archive types which allow to first create a symlink and then +later on dereference it. If the symlink points outside of the archive, +this results in writing outside of the destination directory. + +With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids +this situation by verifying that none of the target path components are +symlinks before writing. + +Remove the commented out code in the method, which would actually +misbehave if enabled again. + +--- ark-19.12.3.orig/plugins/libarchive/libarchiveplugin.cpp ++++ ark-19.12.3/plugins/libarchive/libarchiveplugin.cpp +@@ -479,21 +479,9 @@ void LibarchivePlugin::emitEntryFromArch + + int LibarchivePlugin::extractionFlags() const + { +- int result = ARCHIVE_EXTRACT_TIME; +- result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; +- +- // TODO: Don't use arksettings here +- /*if ( ArkSettings::preservePerms() ) +- { +- result &= ARCHIVE_EXTRACT_PERM; +- } +- +- if ( !ArkSettings::extractOverwrite() ) +- { +- result &= ARCHIVE_EXTRACT_NO_OVERWRITE; +- }*/ +- +- return result; ++ return ARCHIVE_EXTRACT_TIME ++ | ARCHIVE_EXTRACT_SECURE_NODOTDOT ++ | ARCHIVE_EXTRACT_SECURE_SYMLINKS; + } + + void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress) diff -Nru ark-17.12.3/debian/patches/series ark-17.12.3/debian/patches/series --- ark-17.12.3/debian/patches/series 2020-07-30 17:40:55.000000000 +0000 +++ ark-17.12.3/debian/patches/series 2020-08-28 16:42:54.000000000 +0000 @@ -1 +1,2 @@ 001-CVE-2020-16116-maliciously-crafted-archive-can-install-files-outside-the-extraction-directory.patch +002-CVE-2020-24654-tar-symlinks-outside-extraction-directory.patch