ark nmu for CVE-2020-16116

Norbert Preining norbert at preining.info
Thu Jul 30 01:56:09 BST 2020 

Dear all,

I just uploaded ark 4:20.04.0-1.1 which fixes CVE-2020-16116 
to the delayed/5 queue. Please find the debdiff here.

Best

Norbert

diff -Nru ark-20.04.0/debian/changelog ark-20.04.0/debian/changelog
--- ark-20.04.0/debian/changelog	2020-04-26 19:18:32.000000000 +0900
+++ ark-20.04.0/debian/changelog	2020-07-30 09:42:30.000000000 +0900
@@ -1,3 +1,12 @@
+ark (4:20.04.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2020-16116: maliciously crafted archive can install files outside
+    the extraction directory
+    Patch from upstream
+
+ -- Norbert Preining <norbert at preining.info>  Thu, 30 Jul 2020 09:42:30 +0900
+
 ark (4:20.04.0-1) unstable; urgency=medium

   * Team upload.
diff -Nru ark-20.04.0/debian/patches/ark-security-0df592524fed305d6fbe74ddf8a196bc9ffdb92f.diff ark-20.04.0/debian/patches/ark-security-0df592524fed305d6fbe74ddf8a196bc9ffdb92f.diff
--- ark-20.04.0/debian/patches/ark-security-0df592524fed305d6fbe74ddf8a196bc9ffdb92f.diff	1970-01-01 09:00:00.000000000 +0900
+++ ark-20.04.0/debian/patches/ark-security-0df592524fed305d6fbe74ddf8a196bc9ffdb92f.diff	2020-07-30 07:56:22.000000000 +0900
@@ -0,0 +1,21 @@
+---
+ kerfuffle/jobs.cpp |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/kerfuffle/jobs.cpp
++++ b/kerfuffle/jobs.cpp
+@@ -181,6 +181,14 @@ void Job::onError(const QString & messag
+
+ void Job::onEntry(Archive::Entry *entry)
+ {
++    const QString entryFullPath = entry->fullPath();
++    if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
++        qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
++        onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
++        onFinished(false);
++        return;
++    }
++
+     emit newEntry(entry);
+ }
+
diff -Nru ark-20.04.0/debian/patches/series ark-20.04.0/debian/patches/series
--- ark-20.04.0/debian/patches/series	1970-01-01 09:00:00.000000000 +0900
+++ ark-20.04.0/debian/patches/series	2020-07-30 07:56:11.000000000 +0900
@@ -0,0 +1 @@
+ark-security-0df592524fed305d6fbe74ddf8a196bc9ffdb92f.diff

--
PREINING Norbert                              https://www.preining.info
Accelia Inc. + IFMGA ProGuide + TU Wien + JAIST + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

More information about the pkg-kde-talk mailing list