From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 66B6F13835A for ; Sat, 1 Aug 2020 22:57:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 48C34E0AAB; Sat, 1 Aug 2020 22:57:57 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1D584E0AA4 for ; Sat, 1 Aug 2020 22:57:57 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E583734F3AC for ; Sat, 1 Aug 2020 22:57:55 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E939D2FD for ; Sat, 1 Aug 2020 22:57:53 +0000 (UTC) From: "Andreas Sturmlechner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Andreas Sturmlechner" Message-ID: <1596322637.55a42a5c7060468e5406884bfa4294b3cdc824c7.asturm@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: kde-apps/ark/files/, kde-apps/ark/ X-VCS-Repository: repo/gentoo X-VCS-Files: kde-apps/ark/ark-20.04.3-r1.ebuild kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch X-VCS-Directories: kde-apps/ark/ kde-apps/ark/files/ X-VCS-Committer: asturm X-VCS-Committer-Name: Andreas Sturmlechner X-VCS-Revision: 55a42a5c7060468e5406884bfa4294b3cdc824c7 X-VCS-Branch: master Date: Sat, 1 Aug 2020 22:57:53 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: d9460657-baba-4a43-a473-61de461c9dcd X-Archives-Hash: cc72971a58aadc9ce4efe6620ca3bedf commit: 55a42a5c7060468e5406884bfa4294b3cdc824c7 Author: Andreas Sturmlechner gentoo org> AuthorDate: Sat Aug 1 15:41:53 2020 +0000 Commit: Andreas Sturmlechner gentoo org> CommitDate: Sat Aug 1 22:57:17 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55a42a5c kde-apps/ark: Fix CVE-2020-16116 Bug: https://bugs.gentoo.org/734622 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner gentoo.org> kde-apps/ark/ark-20.04.3-r1.ebuild | 85 ++++++++++++++++++++++ .../ark/files/ark-20.04.3-CVE-2020-16116.patch | 46 ++++++++++++ 2 files changed, 131 insertions(+) diff --git a/kde-apps/ark/ark-20.04.3-r1.ebuild b/kde-apps/ark/ark-20.04.3-r1.ebuild new file mode 100644 index 00000000000..0777dc7a6bc --- /dev/null +++ b/kde-apps/ark/ark-20.04.3-r1.ebuild @@ -0,0 +1,85 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +ECM_HANDBOOK="forceoptional" +ECM_TEST="optional" +KFMIN=5.70.0 +QTMIN=5.14.2 +VIRTUALX_REQUIRED="test" +inherit ecm kde.org + +DESCRIPTION="KDE Archiving tool" +HOMEPAGE="https://kde.org/applications/utilities/org.kde.ark +https://utils.kde.org/projects/ark/" + +LICENSE="GPL-2" # TODO: CHECK +SLOT="5" +KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86" +IUSE="bzip2 lzma zip" + +BDEPEND=" + sys-devel/gettext +" +RDEPEND=" + app-arch/libarchive:=[bzip2?,lzma?,zlib] + >=dev-qt/qtdbus-${QTMIN}:5 + >=dev-qt/qtgui-${QTMIN}:5 + >=dev-qt/qtwidgets-${QTMIN}:5 + >=kde-frameworks/karchive-${KFMIN}:5 + >=kde-frameworks/kcompletion-${KFMIN}:5 + >=kde-frameworks/kconfig-${KFMIN}:5 + >=kde-frameworks/kconfigwidgets-${KFMIN}:5 + >=kde-frameworks/kcoreaddons-${KFMIN}:5 + >=kde-frameworks/kcrash-${KFMIN}:5 + >=kde-frameworks/kdbusaddons-${KFMIN}:5 + >=kde-frameworks/ki18n-${KFMIN}:5 + >=kde-frameworks/kio-${KFMIN}:5 + >=kde-frameworks/kitemmodels-${KFMIN}:5 + >=kde-frameworks/kjobwidgets-${KFMIN}:5 + >=kde-frameworks/kparts-${KFMIN}:5 + >=kde-frameworks/kpty-${KFMIN}:5 + >=kde-frameworks/kservice-${KFMIN}:5 + >=kde-frameworks/kwidgetsaddons-${KFMIN}:5 + >=kde-frameworks/kxmlgui-${KFMIN}:5 + sys-libs/zlib + zip? ( >=dev-libs/libzip-1.2.0:= ) +" +DEPEND="${RDEPEND} + >=dev-qt/qtconcurrent-${QTMIN}:5 +" + +# bug #560548, last checked with 16.04.1 +RESTRICT+=" test" + +PATCHES=( "${FILESDIR}/${P}-CVE-2020-16116.patch" ) + +src_configure() { + local mycmakeargs=( + $(cmake_use_find_package bzip2 BZip2) + $(cmake_use_find_package lzma LibLZMA) + $(cmake_use_find_package zip LibZip) + ) + + ecm_src_configure +} + +pkg_postinst() { + ecm_pkg_postinst + + if [[ -z "${REPLACING_VERSIONS}" ]]; then + if ! has_version app-arch/rar; then + elog "For creating/extracting rar archives, installing app-arch/rar is required." + if ! has_version app-arch/unar && ! has_version app-arch/unrar; then + elog "Alternatively, for only extracting rar archives, install app-arch/unar (free) or app-arch/unrar (non-free)." + fi + fi + + has_version app-arch/p7zip || \ + elog "For handling 7-Zip archives, install app-arch/p7zip." + + has_version app-arch/lrzip || \ + elog "For handling lrz archives, install app-arch/lrzip." + fi +} diff --git a/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch b/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch new file mode 100644 index 00000000000..79129c7be6e --- /dev/null +++ b/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch @@ -0,0 +1,46 @@ +From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001 +From: Elvis Angelaccio +Date: Wed, 29 Jul 2020 23:45:30 +0200 +Subject: [PATCH] Fix vulnerability to path traversal attacks + +Ark was vulnerable to directory traversal attacks because of +missing validation of file paths in the archive. + +More details about this attack are available at: +https://github.com/snyk/zip-slip-vulnerability + +Job::onEntry() is the only place where we can safely check the path of +every entry in the archive. There shouldn't be a valid reason +to have a "../" in an archive path, so we can just play safe and abort +the LoadJob if we detect such an entry. This makes impossibile to +extract this kind of malicious archives and perform the attack. + +Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath() +so that we can still allow loading of legitimate archives that +contain "../" in their paths but still resolve inside the extraction folder. +--- + kerfuffle/jobs.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp +index fdaa48695..f73b56f86 100644 +--- a/kerfuffle/jobs.cpp ++++ b/kerfuffle/jobs.cpp +@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details) + + void Job::onEntry(Archive::Entry *entry) + { ++ const QString entryFullPath = entry->fullPath(); ++ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) { ++ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath; ++ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString()); ++ onFinished(false); ++ return; ++ } ++ + emit newEntry(entry); + } + +-- +GitLab +