Sun Sep 20 11:05:31 2020 UTC ()
ark: patches for CVE-2020-16116 and CVE-2020-24654
(markd)
diff -r1.61 -r1.62 pkgsrc/archivers/ark/Makefile
diff -r1.12 -r1.13 pkgsrc/archivers/ark/distinfo
diff -r0 -r1.1 pkgsrc/archivers/ark/patches/patch-kerfuffle_jobs.cpp
diff -r0 -r1.1 pkgsrc/archivers/ark/patches/patch-plugins_libarchive_libarchiveplugin.cpp
--- pkgsrc/archivers/ark/Makefile 2020/08/18 17:57:33 1.61
+++ pkgsrc/archivers/ark/Makefile 2020/09/20 11:05:31 1.62
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
1 | # $NetBSD: Makefile,v 1.61 2020/08/18 17:57:33 leot Exp $ | | 1 | # $NetBSD: Makefile,v 1.62 2020/09/20 11:05:31 markd Exp $ |
2 | | | 2 | |
3 | DISTNAME= ark-${KAPPSVER} | | 3 | DISTNAME= ark-${KAPPSVER} |
4 | PKGREVISION= 2 | | 4 | PKGREVISION= 3 |
5 | CATEGORIES= x11 | | 5 | CATEGORIES= x11 |
6 | | | 6 | |
7 | HOMEPAGE= https://kde.org/applications/utilities/ark/ | | 7 | HOMEPAGE= https://kde.org/applications/utilities/ark/ |
8 | COMMENT= Manages various archive formats within the KDE environment | | 8 | COMMENT= Manages various archive formats within the KDE environment |
9 | LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2 AND gnu-fdl-v1.2 | | 9 | LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2 AND gnu-fdl-v1.2 |
10 | | | 10 | |
11 | .include "../../meta-pkgs/kde/applications.mk" | | 11 | .include "../../meta-pkgs/kde/applications.mk" |
12 | | | 12 | |
13 | BUILD_DEPENDS+= kdoctools>=5.19.0:../../devel/kdoctools | | 13 | BUILD_DEPENDS+= kdoctools>=5.19.0:../../devel/kdoctools |
14 | | | 14 | |
15 | USE_TOOLS+= msgmerge | | 15 | USE_TOOLS+= msgmerge |
16 | | | 16 | |
17 | .include "../../archivers/bzip2/buildlink3.mk" | | 17 | .include "../../archivers/bzip2/buildlink3.mk" |
--- pkgsrc/archivers/ark/distinfo 2020/06/09 11:56:05 1.12
+++ pkgsrc/archivers/ark/distinfo 2020/09/20 11:05:31 1.13
| @@ -1,6 +1,8 @@ | | | @@ -1,6 +1,8 @@ |
1 | $NetBSD: distinfo,v 1.12 2020/06/09 11:56:05 markd Exp $ | | 1 | $NetBSD: distinfo,v 1.13 2020/09/20 11:05:31 markd Exp $ |
2 | | | 2 | |
3 | SHA1 (ark-20.04.1.tar.xz) = 8749d72169443e38514a64a850aad1f88f616422 | | 3 | SHA1 (ark-20.04.1.tar.xz) = 8749d72169443e38514a64a850aad1f88f616422 |
4 | RMD160 (ark-20.04.1.tar.xz) = ec8435d4d5d5aeff657762ba4441acf3f6237bf7 | | 4 | RMD160 (ark-20.04.1.tar.xz) = ec8435d4d5d5aeff657762ba4441acf3f6237bf7 |
5 | SHA512 (ark-20.04.1.tar.xz) = 4433b6aee95a88f7a57cca1275a25194cd721b26d38b60059b907c5f7949e75ddc76337f33ed4e07c095622f8e8ee20e9ce1158e02ff620d386fefd6e3472ff1 | | 5 | SHA512 (ark-20.04.1.tar.xz) = 4433b6aee95a88f7a57cca1275a25194cd721b26d38b60059b907c5f7949e75ddc76337f33ed4e07c095622f8e8ee20e9ce1158e02ff620d386fefd6e3472ff1 |
6 | Size (ark-20.04.1.tar.xz) = 2587528 bytes | | 6 | Size (ark-20.04.1.tar.xz) = 2587528 bytes |
| | | 7 | SHA1 (patch-kerfuffle_jobs.cpp) = 41684c88ef8518e9a06ddcb073cf7251f78b9a79 |
| | | 8 | SHA1 (patch-plugins_libarchive_libarchiveplugin.cpp) = 1cd5da5873f3e32f79ce0a85a1afabca28b96fcd |
$NetBSD: patch-kerfuffle_jobs.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $
https://kde.org/info/security/advisory-20200730-1.txt
A maliciously crafted archive with "../" in the file paths would
install files anywhere in the user's home directory upon extraction.
--- kerfuffle/jobs.cpp.orig 2020-05-11 21:15:07.000000000 +0000
+++ kerfuffle/jobs.cpp
@@ -181,6 +181,13 @@ void Job::onError(const QString & messag
void Job::onEntry(Archive::Entry *entry)
{
+ const QString entryFullPath = entry->fullPath();
+ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
+ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
+ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
+ onFinished(false);
+ return;
+ }
emit newEntry(entry);
}
$NetBSD: patch-plugins_libarchive_libarchiveplugin.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $
https://kde.org/info/security/advisory-20200827-1.txt
A maliciously crafted TAR archive containing symlink entries would
install files anywhere in the user's home directory upon extraction.
--- plugins/libarchive/libarchiveplugin.cpp.orig 2020-05-11 21:15:07.000000000 +0000
+++ plugins/libarchive/libarchiveplugin.cpp
@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArch
int LibarchivePlugin::extractionFlags() const
{
- int result = ARCHIVE_EXTRACT_TIME;
- result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
-
- // TODO: Don't use arksettings here
- /*if ( ArkSettings::preservePerms() )
- {
- result &= ARCHIVE_EXTRACT_PERM;
- }
-
- if ( !ArkSettings::extractOverwrite() )
- {
- result &= ARCHIVE_EXTRACT_NO_OVERWRITE;
- }*/
-
- return result;
+ return ARCHIVE_EXTRACT_TIME
+ | ARCHIVE_EXTRACT_SECURE_NODOTDOT
+ | ARCHIVE_EXTRACT_SECURE_SYMLINKS;
}
void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress)