Hello community, here is the log from the commit of package ark for openSUSE:Factory checked in at 2020-09-03 01:11:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ark (Old) and /work/SRC/openSUSE:Factory/.ark.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ark" Thu Sep 3 01:11:42 2020 rev:122 rq:830103 version:20.08.0 Changes: -------- --- /work/SRC/openSUSE:Factory/ark/ark.changes 2020-08-18 11:55:55.967277974 +0200 +++ /work/SRC/openSUSE:Factory/.ark.new.3399/ark.changes 2020-09-03 01:12:05.892425864 +0200 @@ -1,0 +2,6 @@ +Thu Aug 27 20:13:13 UTC 2020 - Fabian Vogt <fab...@ritter-vogt.de> + +- Add patch to prevent path traversal (boo#1175857, CVE-2020-24654): + * 0001-Pass-the-ARCHIVE_EXTRACT_SECURE_SYMLINKS-flag-to-lib.patch + +------------------------------------------------------------------- New: ---- 0001-Pass-the-ARCHIVE_EXTRACT_SECURE_SYMLINKS-flag-to-lib.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ark.spec ++++++ --- /var/tmp/diff_new_pack.lJxhbC/_old 2020-09-03 01:12:07.572426424 +0200 +++ /var/tmp/diff_new_pack.lJxhbC/_new 2020-09-03 01:12:07.572426424 +0200 @@ -30,6 +30,8 @@ Source: https://download.kde.org/stable/release-service/%{version}/src/%{name}-%{version}.tar.xz # PATCH-FIX-OPENSUSE Patch0: 0001-Support-building-against-libarchive-3.3.2-again.patch +# PATCH-FIX-UPSTREAM +Patch1: 0001-Pass-the-ARCHIVE_EXTRACT_SECURE_SYMLINKS-flag-to-lib.patch BuildRequires: extra-cmake-modules BuildRequires: kf5-filesystem BuildRequires: libarchive-devel ++++++ 0001-Pass-the-ARCHIVE_EXTRACT_SECURE_SYMLINKS-flag-to-lib.patch ++++++ >From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001 From: Fabian Vogt <fab...@ritter-vogt.de> Date: Tue, 25 Aug 2020 22:14:37 +0200 Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive There are archive types which allow to first create a symlink and then later on dereference it. If the symlink points outside of the archive, this results in writing outside of the destination directory. With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids this situation by verifying that none of the target path components are symlinks before writing. Remove the commented out code in the method, which would actually misbehave if enabled again. Signed-off-by: Fabian Vogt <fab...@ritter-vogt.de> --- plugins/libarchive/libarchiveplugin.cpp | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp index 50e81da1..8a0fed21 100644 --- a/plugins/libarchive/libarchiveplugin.cpp +++ b/plugins/libarchive/libarchiveplugin.cpp @@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry) int LibarchivePlugin::extractionFlags() const { - int result = ARCHIVE_EXTRACT_TIME; - result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; - - // TODO: Don't use arksettings here - /*if ( ArkSettings::preservePerms() ) - { - result &= ARCHIVE_EXTRACT_PERM; - } - - if ( !ArkSettings::extractOverwrite() ) - { - result &= ARCHIVE_EXTRACT_NO_OVERWRITE; - }*/ - - return result; + return ARCHIVE_EXTRACT_TIME + | ARCHIVE_EXTRACT_SECURE_NODOTDOT + | ARCHIVE_EXTRACT_SECURE_SYMLINKS; } void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress) -- 2.25.1