27214 – ark new security issue CVE-2020-24654

Bug 27214 - ark new security issue CVE-2020-24654

Summary: ark new security issue CVE-2020-24654

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-08-27 23:57 CEST by David Walser
Modified:	2020-08-29 08:41 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	ark-19.04.0-1.1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-08-27 23:57:40 CEST

KDE has issued an advisory today (August 27):
https://kde.org/info/security/advisory-20200827-1.txt

The issue is fixed upstream in 20.08.1 and the advisory links to the commit that fixed it.  There's also a PoC.

Mageia 7 is also affected.

David Walser 2020-08-27 23:58:40 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-08-28 11:01:02 CEST

Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-08-28 17:08:41 CEST

Advisory:
========================

Updated ark package fixes security vulnerability:

A maliciously crafted TAR archive containing symlink entries would install
files anywhere in the user's home directory upon extraction (CVE-2020-24654).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24654
https://kde.org/info/security/advisory-20200827-1.txt
========================

Updated packages in core/updates_testing:
========================
ark-19.04.0-1.2.mga7
ark-handbook-19.04.0-1.2.mga7
libkerfuffle19-19.04.0-1.2.mga7

from ark-19.04.0-1.2.mga7.src.rpm

Source RPM: ark-19.04.0-1.1.mga7.src.rpm, ark-20.08.0-1.mga8.src.rpm => ark-19.04.0-1.1.mga7.src.rpm
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: kde => qa-bugs

Comment 3 Herman Viaene 2020-08-28 22:44:01 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
Testing by creating and expanding a tar file:
$ tar cvf tartest.tar.gz *.txt
libx11.txt
postjdbc.txt
pthipadd.txt
pthrtslib.txt

In dolphin move the created tar file to myhome/tmp and extracted tar file info tartest folder. All files present and correct.
Good enough for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Aurelien Oudelet 2020-08-28 22:50:46 CEST Comment hidden (obsolete)

Also good on Cauldron and Mageia 7.
No installation and usage issue.

Good also for me.

Comment 5 David Walser 2020-08-28 22:54:05 CEST

Don't forget the PoC.  Should be simple to test.

Comment 6 Aurelien Oudelet 2020-08-28 23:01:28 CEST

Also good on Cauldron and Mageia 7.
No installation and usage issue.

Tested PoC on patched/updated systems (M7 and M8B1):
Ark tries to extract this malicious crafted tar archive.
This creates a link to /tmp directory and a warning box appears saying an error occurred while extracting archive. 2 choices: continue, stop.

Continue: nothing happen. and Stop is obvious.

Should be validated.

Aurelien Oudelet 2020-08-28 23:01:36 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2020-08-28 23:55:50 CEST

Adding advisory tag based on Aurelien's comment on IRC.

Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-08-29 08:41:56 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0353.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.