[Bug 1893465] [NEW] KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.

vishnunaini 1893465 at bugs.launchpad.net
Fri Aug 28 17:17:25 UTC 2020 

*** This bug is a security vulnerability ***

Public security bug reported:

I have included a debdiff imported from upstream for the below security
advisory for ark.

I have tested the patch in ppa with the sample archive issued in the
advisory and can confirm it works without any noticeable issues.


KDE Project Security Advisory
=============================

Title:           Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
Risk Rating:     Important
CVE:             CVE-2020-24654
Versions:        ark <= 20.08.0
Author:          Elvis Angelaccio <elvis.angelaccio at kde.org>
Date:            27 August 2020

Overview
========

A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.

Proof of concept
================

For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar

Impact
======

Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart.

Workaround
==========

Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain symlink entries pointing outside the extraction folder.

The 'Extract' context menu from the Dolphin file manager shouldn't be
used.

Solution
========

Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR
archives.

Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous
releases.


Credits
=======

Thanks to Fabian Vogt for reporting this issue and for fixing it.

** Affects: ark (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "CVE-2020-24654-tar-symlinks-outside-extraction-directory.debdiff"
   https://bugs.launchpad.net/bugs/1893465/+attachment/5405512/+files/CVE-2020-24654-tar-symlinks-outside-extraction-directory.debdiff

** Information type changed from Private Security to Public Security

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24654

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to ark in Ubuntu.
https://bugs.launchpad.net/bugs/1893465

Title:
  KDE Project Security Advisory: Ark: maliciously crafted TAR archive
  with symlinks can install files outside the extraction directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1893465/+subscriptions

More information about the kubuntu-bugs mailing list