Hello community, here is the log from the commit of package ark for openSUSE:Factory checked in at 2020-08-04 20:16:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ark (Old) and /work/SRC/openSUSE:Factory/.ark.new.3592 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ark" Tue Aug 4 20:16:44 2020 rev:120 rq:824154 version:20.04.3 Changes: -------- --- /work/SRC/openSUSE:Factory/ark/ark.changes 2020-07-14 07:46:14.271256536 +0200 +++ /work/SRC/openSUSE:Factory/.ark.new.3592/ark.changes 2020-08-04 20:17:08.388892308 +0200 @@ -1,0 +2,6 @@ +Mon Aug 3 13:31:33 UTC 2020 - Christophe Giboudeaux <[email protected]> + +- Add upstream patch to prevent directory traversal (boo#1174773, CVE-2020-16116) + * 0001-Fix-vulnerability-to-path-traversal-attacks.patch + +------------------------------------------------------------------- New: ---- 0001-Fix-vulnerability-to-path-traversal-attacks.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ark.spec ++++++ --- /var/tmp/diff_new_pack.EEIQle/_old 2020-08-04 20:17:10.732893735 +0200 +++ /var/tmp/diff_new_pack.EEIQle/_new 2020-08-04 20:17:10.736893737 +0200 @@ -30,6 +30,8 @@ Source: https://download.kde.org/stable/release-service/%{version}/src/%{name}-%{version}.tar.xz # PATCH-FIX-OPENSUSE Patch0: 0001-Support-building-against-libarchive-3.3.2-again.patch +# PATCH-FIX-UPSTREAM +Patch1: 0001-Fix-vulnerability-to-path-traversal-attacks.patch BuildRequires: extra-cmake-modules BuildRequires: kf5-filesystem BuildRequires: libarchive-devel ++++++ 0001-Fix-vulnerability-to-path-traversal-attacks.patch ++++++ >From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001 From: Elvis Angelaccio <[email protected]> Date: Wed, 29 Jul 2020 23:45:30 +0200 Subject: [PATCH] Fix vulnerability to path traversal attacks Ark was vulnerable to directory traversal attacks because of missing validation of file paths in the archive. More details about this attack are available at: https://github.com/snyk/zip-slip-vulnerability Job::onEntry() is the only place where we can safely check the path of every entry in the archive. There shouldn't be a valid reason to have a "../" in an archive path, so we can just play safe and abort the LoadJob if we detect such an entry. This makes impossibile to extract this kind of malicious archives and perform the attack. Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath() so that we can still allow loading of legitimate archives that contain "../" in their paths but still resolve inside the extraction folder. --- kerfuffle/jobs.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp index fdaa4869..f73b56f8 100644 --- a/kerfuffle/jobs.cpp +++ b/kerfuffle/jobs.cpp @@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details) void Job::onEntry(Archive::Entry *entry) { + const QString entryFullPath = entry->fullPath(); + if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) { + qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath; + onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString()); + onFinished(false); + return; + } + emit newEntry(entry); } -- 2.28.0
