KDE has issued an advisory today (August 27): https://kde.org/info/security/advisory-20200827-1.txt The issue is fixed upstream in 20.08.1 and the advisory links to the commit that fixed it. There's also a PoC. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated ark package fixes security vulnerability: A maliciously crafted TAR archive containing symlink entries would install files anywhere in the user's home directory upon extraction (CVE-2020-24654). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24654 https://kde.org/info/security/advisory-20200827-1.txt ======================== Updated packages in core/updates_testing: ======================== ark-19.04.0-1.2.mga7 ark-handbook-19.04.0-1.2.mga7 libkerfuffle19-19.04.0-1.2.mga7 from ark-19.04.0-1.2.mga7.src.rpm
Source RPM: ark-19.04.0-1.1.mga7.src.rpm, ark-20.08.0-1.mga8.src.rpm => ark-19.04.0-1.1.mga7.src.rpmVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: kde => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Testing by creating and expanding a tar file: $ tar cvf tartest.tar.gz *.txt libx11.txt postjdbc.txt pthipadd.txt pthrtslib.txt In dolphin move the created tar file to myhome/tmp and extracted tar file info tartest folder. All files present and correct. Good enough for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Also good on Cauldron and Mageia 7. No installation and usage issue. Good also for me.
Don't forget the PoC. Should be simple to test.
Also good on Cauldron and Mageia 7. No installation and usage issue. Tested PoC on patched/updated systems (M7 and M8B1): Ark tries to extract this malicious crafted tar archive. This creates a link to /tmp directory and a warning box appears saying an error occurred while extracting archive. 2 choices: continue, stop. Continue: nothing happen. and Stop is obvious. Should be validated.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Adding advisory tag based on Aurelien's comment on IRC.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0353.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED