From 2a70303a4bb5ba071ad5706516a263f19b29cbc9 Mon Sep 17 00:00:00 2001 From: Eric Hameleers Date: Thu, 30 Jul 2020 19:36:05 +0200 Subject: Ark: apply patch for CVE-2020-16116 --- kde/patch/ark.patch | 8 +++--- kde/patch/ark/ark_cve-2020-16116.patch | 47 ++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 5 deletions(-) create mode 100644 kde/patch/ark/ark_cve-2020-16116.patch diff --git a/kde/patch/ark.patch b/kde/patch/ark.patch index 35ac2d3..3710075 100644 --- a/kde/patch/ark.patch +++ b/kde/patch/ark.patch @@ -1,7 +1,5 @@ -# Ark won't open RAR archives unless rar is installed (even for read access). -# KDEBUG #357057 is fixed in 15.12.1; still needs unrar. -#cat $CWD/patch/ark/ark_kdebug357057.patch | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; } - # Fix a compilation issue in 18.04.0: -cat $CWD/patch/ark/ark_include_memory.patch | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; } +#cat $CWD/patch/ark/ark_include_memory.patch | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; } +# Fix for CVE-2020-16116: +cat $CWD/patch/ark/ark_cve-2020-16116.patch | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; } diff --git a/kde/patch/ark/ark_cve-2020-16116.patch b/kde/patch/ark/ark_cve-2020-16116.patch new file mode 100644 index 0000000..b3feb1b --- /dev/null +++ b/kde/patch/ark/ark_cve-2020-16116.patch @@ -0,0 +1,47 @@ +From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001 +From: Elvis Angelaccio +Date: Wed, 29 Jul 2020 23:45:30 +0200 +Subject: [PATCH] Fix vulnerability to path traversal attacks + +Ark was vulnerable to directory traversal attacks because of +missing validation of file paths in the archive. + +More details about this attack are available at: +https://github.com/snyk/zip-slip-vulnerability + +Job::onEntry() is the only place where we can safely check the path of +every entry in the archive. There shouldn't be a valid reason +to have a "../" in an archive path, so we can just play safe and abort +the LoadJob if we detect such an entry. This makes impossibile to +extract this kind of malicious archives and perform the attack. + +Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath() +so that we can still allow loading of legitimate archives that +contain "../" in their paths but still resolve inside the extraction folder. +--- + kerfuffle/jobs.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp +index fdaa48695..f73b56f86 100644 +--- a/kerfuffle/jobs.cpp ++++ b/kerfuffle/jobs.cpp +@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details) + + void Job::onEntry(Archive::Entry *entry) + { ++ const QString entryFullPath = entry->fullPath(); ++ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) { ++ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath; ++ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString()); ++ onFinished(false); ++ return; ++ } ++ + emit newEntry(entry); + } + +-- +GitLab + + -- cgit v1.2.3