From 2a70303a4bb5ba071ad5706516a263f19b29cbc9 Mon Sep 17 00:00:00 2001 From: Eric Hameleers Date: Thu, 30 Jul 2020 19:36:05 +0200 Subject: Ark: apply patch for CVE-2020-16116 --- kde/patch/ark/ark_cve-2020-16116.patch | 47 ++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 kde/patch/ark/ark_cve-2020-16116.patch (limited to 'kde/patch/ark') diff --git a/kde/patch/ark/ark_cve-2020-16116.patch b/kde/patch/ark/ark_cve-2020-16116.patch new file mode 100644 index 0000000..b3feb1b --- /dev/null +++ b/kde/patch/ark/ark_cve-2020-16116.patch @@ -0,0 +1,47 @@ +From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001 +From: Elvis Angelaccio +Date: Wed, 29 Jul 2020 23:45:30 +0200 +Subject: [PATCH] Fix vulnerability to path traversal attacks + +Ark was vulnerable to directory traversal attacks because of +missing validation of file paths in the archive. + +More details about this attack are available at: +https://github.com/snyk/zip-slip-vulnerability + +Job::onEntry() is the only place where we can safely check the path of +every entry in the archive. There shouldn't be a valid reason +to have a "../" in an archive path, so we can just play safe and abort +the LoadJob if we detect such an entry. This makes impossibile to +extract this kind of malicious archives and perform the attack. + +Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath() +so that we can still allow loading of legitimate archives that +contain "../" in their paths but still resolve inside the extraction folder. +--- + kerfuffle/jobs.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp +index fdaa48695..f73b56f86 100644 +--- a/kerfuffle/jobs.cpp ++++ b/kerfuffle/jobs.cpp +@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details) + + void Job::onEntry(Archive::Entry *entry) + { ++ const QString entryFullPath = entry->fullPath(); ++ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) { ++ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath; ++ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString()); ++ onFinished(false); ++ return; ++ } ++ + emit newEntry(entry); + } + +-- +GitLab + + -- cgit v1.2.3 From 52b1f1cb9f8d4e1fb1fcbde59930a105a819b0b4 Mon Sep 17 00:00:00 2001 From: Eric Hameleers Date: Thu, 30 Jul 2020 19:45:19 +0200 Subject: Cleanup unused KDE patches Thanks to Patrick Volkerding for the effort. --- kde/patch/ark/ark_kdebug357057.patch | 37 ------------------------------------ 1 file changed, 37 deletions(-) delete mode 100644 kde/patch/ark/ark_kdebug357057.patch (limited to 'kde/patch/ark') diff --git a/kde/patch/ark/ark_kdebug357057.patch b/kde/patch/ark/ark_kdebug357057.patch deleted file mode 100644 index 76c0bab..0000000 --- a/kde/patch/ark/ark_kdebug357057.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Elvis Angelaccio -Date: Wed, 23 Dec 2015 16:19:29 +0000 -Subject: Fallback to read-only mode if there are no read-write executables -X-Git-Url: http://quickgit.kde.org/?p=ark.git&a=commitdiff&h=087e5aab49c60ac5930742fe892fa930048e2f43 ---- -Fallback to read-only mode if there are no read-write executables - -Commit 2d000a0 introduced executables check when loading a plugin. However the -current behavior is too restrictive: if one wants only to open a rar or a -zip archive, there is no need to require also the rar or zip program to be -installed. Plus, some distributions (e.g. Archlinux) ship only unrar in their -official repositories. - -With this commit, Ark is able to understand that e.g. unrar is installed but -rar is not. In this case, Ark can and should fallback to read-only mode, -to disable the Add/Delete actions in the toolbar. - -BUG: 357057 -FIXED-IN: 15.12.1 - -CC: rthomsen6@gmail.com ---- - - ---- a/kerfuffle/archive_kerfuffle.cpp -+++ b/kerfuffle/archive_kerfuffle.cpp -@@ -173,6 +173,9 @@ - - if (iface->findExecutables(!isReadOnly)) { - return new Archive(iface, isReadOnly, parent); -+ } else if (!isReadOnly && iface->findExecutables(false)) { -+ qCWarning(ARK) << "Failed to find read-write executables: falling back to read-only mode for read-write plugin" << pluginName; -+ return new Archive(iface, true, parent); - } else { - qCWarning(ARK) << "Failed to find needed executables for plugin" << pluginName; - } - -- cgit v1.2.3