Bug 27023 - ark new security issue CVE-2020-16116
Summary: ark new security issue CVE-2020-16116
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-30 03:56 CEST by David Walser
Modified: 2020-08-18 19:43 CEST (History)
5 users (show)

See Also:
Source RPM: ark-20.04.3-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-07-30 03:56:29 CEST
KDE has issued an advisory tomorrow (July 30):
https://kde.org/info/security/advisory-20200730-1.txt

The issue is fixed upstream in 20.08.0 and the advisory links to the commit that fixed it.  There's also a PoC.

Mageia 7 is also affected.
David Walser 2020-07-30 03:57:36 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from upstream

Comment 1 David GEIGER 2020-07-30 07:04:23 CEST
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-07-30 14:37:56 CEST
Advisory:
========================

Updated ark packages fix security vulnerability:

A maliciously crafted archive with "../" in the file paths would install files
anywhere in the user's home directory upon extraction (CVE-2020-16116).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16116
https://kde.org/info/security/advisory-20200730-1.txt
========================

Updated packages in core/updates_testing:
========================
ark-19.04.0-1.1.mga7
ark-handbook-19.04.0-1.1.mga7
libkerfuffle19-19.04.0-1.1.mga7

from ark-19.04.0-1.1.mga7.src.rpm

Assignee: kde => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Status comment: Patch available from upstream => (none)

Comment 3 Len Lawrence 2020-08-01 11:41:51 CEST
mga7, x86_64

This looks like a familiar exploit, common to other archivers.

CVE-2020-16116
https://kde.org/info/security/advisory-20200730-1.txt
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip

$ rpm -q ark
ark-19.04.0-1.mga7

Before update:

$ ark relative2.zip
QDBusConnection: name 'org.kde.JobViewServer' had owner '' but we thought it was ':1.80767'
Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString)
kf5.kservice.sycoca: Parse error in  "/home/lcl/.config/menus/applications-merged/xdg-desktop-menu-dummy.menu" , line  1 , col  1 :  "unexpected end of file"
kf5.kservice.services: The desktop entry file "/usr/share/applications/org.gnome.ChromeGnomeShell.desktop" has Type= "Application" but no Exec line
kf5.kservice.sycoca: Invalid Service :  "/usr/share/applications/org.gnome.ChromeGnomeShell.desktop"
Qt: Session management error: networkIdsList argument is NULL

In the gui used extract on *
Error popup:
Failed to open file for writing: /home/lcl/tmp/../../moo

After updating the three packages:
$ ark relative2.zip 
ark.kerfuffle: Possibly malicious archive. Detected entry that could lead to a directory traversal attack: "tmp/../../moo"

The gui opened with a warning message as well.

Copied a tar file to tmp for extraction operations.
$ ark fontpack.tar
Gui shows the two level folder structure.

$ ark fontpack.tar
Gui appeared and so did several error messages in the terminal about Qt and kf5.kservice.sycoca which seemed irrelevant because the gui functions perfectly in Mate.  Quoting them here for the record:
kf5.kservice.sycoca: Parse error in  "/home/lcl/.config/menus/applications-merged/xdg-desktop-menu-dummy.menu" , line  1 , col  1 :  "unexpected end of file"
kf5.kservice.services: The desktop entry file "/usr/share/applications/org.gnome.ChromeGnomeShell.desktop" has Type= "Application" but no Exec line
kf5.kservice.sycoca: Invalid Service :  "/usr/share/applications/org.gnome.ChromeGnomeShell.desktop"
Qt: Session management error: networkIdsList argument is NULL

Extracted a single file after enabling subfolder quoting the full path within the archive.  It appeared in the fontpack subfolder.  Highlighted the fontpack archive and used * with extract.  That extracted all the files and subdirectories to the fontpack folder after raising an overwrite query on the pre-existing TTF file.

Created an archive from a subset of the font files:
$ ark --autofilename tar.gz -c g*
This produced fontpack.tar.gz.  Moved that to another directory.
$ gunzip fontpack.tar.gz
$ tar tf fontpack.tar
gemelli.ttf
georgiab.ttf
georgiai.ttf
georgia.ttf
georgiaz.ttf
guanine_.ttf
gunplay3.ttf
gunplay.ttf

That should be enough for now.  The result of the PoC test is good.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2020-08-03 14:31:52 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 David Walser 2020-08-12 21:14:57 CEST
Fedora has issued an advisory for this on August 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PYRKQKUVU45ANH5TFYCYZN6HVP34N3UL/
Dave Hodgins 2020-08-18 17:29:22 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2020-08-18 19:43:02 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0323.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.