Sun Sep 20 11:05:31 2020 UTC ()
ark: patches for CVE-2020-16116 and CVE-2020-24654


(markd)
diff -r1.61 -r1.62 pkgsrc/archivers/ark/Makefile
diff -r1.12 -r1.13 pkgsrc/archivers/ark/distinfo
diff -r0 -r1.1 pkgsrc/archivers/ark/patches/patch-kerfuffle_jobs.cpp
diff -r0 -r1.1 pkgsrc/archivers/ark/patches/patch-plugins_libarchive_libarchiveplugin.cpp
cvs diff -r1.61 -r1.62 pkgsrc/archivers/ark/Makefile (expand / switch to unified diff)

--- pkgsrc/archivers/ark/Makefile 2020/08/18 17:57:33 1.61
+++ pkgsrc/archivers/ark/Makefile 2020/09/20 11:05:31 1.62
@@ -1,17 +1,17 @@ @@ -1,17 +1,17 @@
1# $NetBSD: Makefile,v 1.61 2020/08/18 17:57:33 leot Exp $ 1# $NetBSD: Makefile,v 1.62 2020/09/20 11:05:31 markd Exp $
2 2
3DISTNAME= ark-${KAPPSVER} 3DISTNAME= ark-${KAPPSVER}
4PKGREVISION= 2 4PKGREVISION= 3
5CATEGORIES= x11 5CATEGORIES= x11
6 6
7HOMEPAGE= https://kde.org/applications/utilities/ark/ 7HOMEPAGE= https://kde.org/applications/utilities/ark/
8COMMENT= Manages various archive formats within the KDE environment 8COMMENT= Manages various archive formats within the KDE environment
9LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2 AND gnu-fdl-v1.2 9LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2 AND gnu-fdl-v1.2
10 10
11.include "../../meta-pkgs/kde/applications.mk" 11.include "../../meta-pkgs/kde/applications.mk"
12 12
13BUILD_DEPENDS+= kdoctools>=5.19.0:../../devel/kdoctools 13BUILD_DEPENDS+= kdoctools>=5.19.0:../../devel/kdoctools
14 14
15USE_TOOLS+= msgmerge 15USE_TOOLS+= msgmerge
16 16
17.include "../../archivers/bzip2/buildlink3.mk" 17.include "../../archivers/bzip2/buildlink3.mk"
cvs diff -r1.12 -r1.13 pkgsrc/archivers/ark/distinfo (expand / switch to unified diff)

--- pkgsrc/archivers/ark/distinfo 2020/06/09 11:56:05 1.12
+++ pkgsrc/archivers/ark/distinfo 2020/09/20 11:05:31 1.13
@@ -1,6 +1,8 @@ @@ -1,6 +1,8 @@
1$NetBSD: distinfo,v 1.12 2020/06/09 11:56:05 markd Exp $ 1$NetBSD: distinfo,v 1.13 2020/09/20 11:05:31 markd Exp $
2 2
3SHA1 (ark-20.04.1.tar.xz) = 8749d72169443e38514a64a850aad1f88f616422 3SHA1 (ark-20.04.1.tar.xz) = 8749d72169443e38514a64a850aad1f88f616422
4RMD160 (ark-20.04.1.tar.xz) = ec8435d4d5d5aeff657762ba4441acf3f6237bf7 4RMD160 (ark-20.04.1.tar.xz) = ec8435d4d5d5aeff657762ba4441acf3f6237bf7
5SHA512 (ark-20.04.1.tar.xz) = 4433b6aee95a88f7a57cca1275a25194cd721b26d38b60059b907c5f7949e75ddc76337f33ed4e07c095622f8e8ee20e9ce1158e02ff620d386fefd6e3472ff1 5SHA512 (ark-20.04.1.tar.xz) = 4433b6aee95a88f7a57cca1275a25194cd721b26d38b60059b907c5f7949e75ddc76337f33ed4e07c095622f8e8ee20e9ce1158e02ff620d386fefd6e3472ff1
6Size (ark-20.04.1.tar.xz) = 2587528 bytes 6Size (ark-20.04.1.tar.xz) = 2587528 bytes
 7SHA1 (patch-kerfuffle_jobs.cpp) = 41684c88ef8518e9a06ddcb073cf7251f78b9a79
 8SHA1 (patch-plugins_libarchive_libarchiveplugin.cpp) = 1cd5da5873f3e32f79ce0a85a1afabca28b96fcd
File Added: pkgsrc/archivers/ark/patches/Attic/patch-kerfuffle_jobs.cpp
$NetBSD: patch-kerfuffle_jobs.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $

https://kde.org/info/security/advisory-20200730-1.txt
A maliciously crafted archive with "../" in the file paths would
install files anywhere in the user's home directory upon extraction.

--- kerfuffle/jobs.cpp.orig	2020-05-11 21:15:07.000000000 +0000
+++ kerfuffle/jobs.cpp
@@ -181,6 +181,13 @@ void Job::onError(const QString & messag
 
 void Job::onEntry(Archive::Entry *entry)
 {
+    const QString entryFullPath = entry->fullPath();
+    if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
+        qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
+        onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
+        onFinished(false);
+        return;
+    }
     emit newEntry(entry);
 }
File Added: pkgsrc/archivers/ark/patches/Attic/patch-plugins_libarchive_libarchiveplugin.cpp
$NetBSD: patch-plugins_libarchive_libarchiveplugin.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $

https://kde.org/info/security/advisory-20200827-1.txt
A maliciously crafted TAR archive containing symlink entries would
install files anywhere in the user's home directory upon extraction.

--- plugins/libarchive/libarchiveplugin.cpp.orig	2020-05-11 21:15:07.000000000 +0000
+++ plugins/libarchive/libarchiveplugin.cpp
@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArch
 
 int LibarchivePlugin::extractionFlags() const
 {
-    int result = ARCHIVE_EXTRACT_TIME;
-    result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
-
-    // TODO: Don't use arksettings here
-    /*if ( ArkSettings::preservePerms() )
-    {
-        result &= ARCHIVE_EXTRACT_PERM;
-    }
-
-    if ( !ArkSettings::extractOverwrite() )
-    {
-        result &= ARCHIVE_EXTRACT_NO_OVERWRITE;
-    }*/
-
-    return result;
+    return ARCHIVE_EXTRACT_TIME
+           | ARCHIVE_EXTRACT_SECURE_NODOTDOT
+           | ARCHIVE_EXTRACT_SECURE_SYMLINKS;
 }
 
 void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress)