KDE has issued an advisory tomorrow (July 30): https://kde.org/info/security/advisory-20200730-1.txt The issue is fixed upstream in 20.08.0 and the advisory links to the commit that fixed it. There's also a PoC. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Patch available from upstream
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated ark packages fix security vulnerability: A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction (CVE-2020-16116). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16116 https://kde.org/info/security/advisory-20200730-1.txt ======================== Updated packages in core/updates_testing: ======================== ark-19.04.0-1.1.mga7 ark-handbook-19.04.0-1.1.mga7 libkerfuffle19-19.04.0-1.1.mga7 from ark-19.04.0-1.1.mga7.src.rpm
Assignee: kde => qa-bugsWhiteboard: MGA7TOO => (none)Version: Cauldron => 7Status comment: Patch available from upstream => (none)
mga7, x86_64 This looks like a familiar exploit, common to other archivers. CVE-2020-16116 https://kde.org/info/security/advisory-20200730-1.txt https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip $ rpm -q ark ark-19.04.0-1.mga7 Before update: $ ark relative2.zip QDBusConnection: name 'org.kde.JobViewServer' had owner '' but we thought it was ':1.80767' Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString) kf5.kservice.sycoca: Parse error in "/home/lcl/.config/menus/applications-merged/xdg-desktop-menu-dummy.menu" , line 1 , col 1 : "unexpected end of file" kf5.kservice.services: The desktop entry file "/usr/share/applications/org.gnome.ChromeGnomeShell.desktop" has Type= "Application" but no Exec line kf5.kservice.sycoca: Invalid Service : "/usr/share/applications/org.gnome.ChromeGnomeShell.desktop" Qt: Session management error: networkIdsList argument is NULL In the gui used extract on * Error popup: Failed to open file for writing: /home/lcl/tmp/../../moo After updating the three packages: $ ark relative2.zip ark.kerfuffle: Possibly malicious archive. Detected entry that could lead to a directory traversal attack: "tmp/../../moo" The gui opened with a warning message as well. Copied a tar file to tmp for extraction operations. $ ark fontpack.tar Gui shows the two level folder structure. $ ark fontpack.tar Gui appeared and so did several error messages in the terminal about Qt and kf5.kservice.sycoca which seemed irrelevant because the gui functions perfectly in Mate. Quoting them here for the record: kf5.kservice.sycoca: Parse error in "/home/lcl/.config/menus/applications-merged/xdg-desktop-menu-dummy.menu" , line 1 , col 1 : "unexpected end of file" kf5.kservice.services: The desktop entry file "/usr/share/applications/org.gnome.ChromeGnomeShell.desktop" has Type= "Application" but no Exec line kf5.kservice.sycoca: Invalid Service : "/usr/share/applications/org.gnome.ChromeGnomeShell.desktop" Qt: Session management error: networkIdsList argument is NULL Extracted a single file after enabling subfolder quoting the full path within the archive. It appeared in the fontpack subfolder. Highlighted the fontpack archive and used * with extract. That extracted all the files and subdirectories to the fontpack folder after raising an overwrite query on the pre-existing TTF file. Created an archive from a subset of the font files: $ ark --autofilename tar.gz -c g* This produced fontpack.tar.gz. Moved that to another directory. $ gunzip fontpack.tar.gz $ tar tf fontpack.tar gemelli.ttf georgiab.ttf georgiai.ttf georgia.ttf georgiaz.ttf guanine_.ttf gunplay3.ttf gunplay.ttf That should be enough for now. The result of the PoC test is good.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Fedora has issued an advisory for this on August 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PYRKQKUVU45ANH5TFYCYZN6HVP34N3UL/
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0323.html
Status: NEW => RESOLVEDResolution: (none) => FIXED