Author: bdubbs Date: Fri Aug 28 10:56:03 2020 New Revision: 4175 Log: Add a patch to ark identified upstream
Added: trunk/ark/ trunk/ark/ark-20.08.0-upstream_fix-1.patch Added: trunk/ark/ark-20.08.0-upstream_fix-1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ trunk/ark/ark-20.08.0-upstream_fix-1.patch Fri Aug 28 10:56:03 2020 (r4175) @@ -0,0 +1,37 @@ +Submitted By: Bruce Dubbs (bdubbs at linuxfromscratch dot org) +Date: 2020-08-28 +Initial Package Version: ark-20.08.0 +Origin: http://ftp.kernel.org/pub/linux/daemons/autofs/v4/ +Upstream Status: Committed +Description: A maliciously crafted TAR archive with symlinks can + install files outside the extraction directory. + +diff -Naur ark-20.08.0.orig/plugins/libarchive/libarchiveplugin.cpp ark-20.08.0/plugins/libarchive/libarchiveplugin.cpp +--- ark-20.08.0.orig/plugins/libarchive/libarchiveplugin.cpp 2020-08-05 02:53:26.000000000 -0500 ++++ ark-20.08.0/plugins/libarchive/libarchiveplugin.cpp 2020-08-28 12:46:09.307464120 -0500 +@@ -509,21 +509,9 @@ + + int LibarchivePlugin::extractionFlags() const + { +- int result = ARCHIVE_EXTRACT_TIME; +- result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; +- +- // TODO: Don't use arksettings here +- /*if ( ArkSettings::preservePerms() ) +- { +- result &= ARCHIVE_EXTRACT_PERM; +- } +- +- if ( !ArkSettings::extractOverwrite() ) +- { +- result &= ARCHIVE_EXTRACT_NO_OVERWRITE; +- }*/ +- +- return result; ++ return ARCHIVE_EXTRACT_TIME ++ | ARCHIVE_EXTRACT_SECURE_NODOTDOT ++ | ARCHIVE_EXTRACT_SECURE_SYMLINKS; + } + + void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress) + -- http://lists.linuxfromscratch.org/listinfo/patches FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
