From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 50224138359 for ; Mon, 28 Sep 2020 21:33:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4745BE07F2; Mon, 28 Sep 2020 21:33:30 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1B970E07F2 for ; Mon, 28 Sep 2020 21:33:30 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 69BB133FECD for ; Mon, 28 Sep 2020 21:33:28 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E229237F for ; Mon, 28 Sep 2020 21:33:26 +0000 (UTC) From: "Andreas Sturmlechner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Andreas Sturmlechner" Message-ID: <1601328502.f25fa2d93956341a938c84f2da5057b8fe2e259c.asturm@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: kde-apps/ark/files/, kde-apps/ark/ X-VCS-Repository: repo/gentoo X-VCS-Files: kde-apps/ark/ark-20.04.3-r2.ebuild kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch X-VCS-Directories: kde-apps/ark/ kde-apps/ark/files/ X-VCS-Committer: asturm X-VCS-Committer-Name: Andreas Sturmlechner X-VCS-Revision: f25fa2d93956341a938c84f2da5057b8fe2e259c X-VCS-Branch: master Date: Mon, 28 Sep 2020 21:33:26 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 96c0c3f1-fa5b-40d8-99fb-f011643e14f7 X-Archives-Hash: f24675574c12e151552ebaf13899eb44 commit: f25fa2d93956341a938c84f2da5057b8fe2e259c Author: Andreas Sturmlechner gentoo org> AuthorDate: Mon Sep 28 18:40:24 2020 +0000 Commit: Andreas Sturmlechner gentoo org> CommitDate: Mon Sep 28 21:28:22 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25fa2d9 kde-apps/ark: Fix CVE-2020-24654 Bug: https://bugs.gentoo.org/743959 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner gentoo.org> kde-apps/ark/ark-20.04.3-r2.ebuild | 84 ++++++++++++++++++++++ .../ark/files/ark-20.04.3-CVE-2020-24654.patch | 53 ++++++++++++++ 2 files changed, 137 insertions(+) diff --git a/kde-apps/ark/ark-20.04.3-r2.ebuild b/kde-apps/ark/ark-20.04.3-r2.ebuild new file mode 100644 index 00000000000..d77562b55a7 --- /dev/null +++ b/kde-apps/ark/ark-20.04.3-r2.ebuild @@ -0,0 +1,84 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +ECM_HANDBOOK="forceoptional" +ECM_TEST="optional" +KFMIN=5.70.0 +QTMIN=5.14.2 +VIRTUALX_REQUIRED="test" +inherit ecm kde.org optfeature + +DESCRIPTION="File archiver by KDE" +HOMEPAGE="https://kde.org/applications/en/ark +https://utils.kde.org/projects/ark/" + +LICENSE="GPL-2" # TODO: CHECK +SLOT="5" +KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86" +IUSE="zip" + +BDEPEND=" + sys-devel/gettext +" +RDEPEND=" + app-arch/libarchive:=[bzip2,lzma,zlib] + >=dev-qt/qtdbus-${QTMIN}:5 + >=dev-qt/qtgui-${QTMIN}:5 + >=dev-qt/qtwidgets-${QTMIN}:5 + >=kde-frameworks/karchive-${KFMIN}:5 + >=kde-frameworks/kcompletion-${KFMIN}:5 + >=kde-frameworks/kconfig-${KFMIN}:5 + >=kde-frameworks/kconfigwidgets-${KFMIN}:5 + >=kde-frameworks/kcoreaddons-${KFMIN}:5 + >=kde-frameworks/kcrash-${KFMIN}:5 + >=kde-frameworks/kdbusaddons-${KFMIN}:5 + >=kde-frameworks/ki18n-${KFMIN}:5 + >=kde-frameworks/kio-${KFMIN}:5 + >=kde-frameworks/kitemmodels-${KFMIN}:5 + >=kde-frameworks/kjobwidgets-${KFMIN}:5 + >=kde-frameworks/kparts-${KFMIN}:5 + >=kde-frameworks/kpty-${KFMIN}:5 + >=kde-frameworks/kservice-${KFMIN}:5 + >=kde-frameworks/kwidgetsaddons-${KFMIN}:5 + >=kde-frameworks/kxmlgui-${KFMIN}:5 + sys-libs/zlib + zip? ( >=dev-libs/libzip-1.2.0:= ) +" +DEPEND="${RDEPEND} + >=dev-qt/qtconcurrent-${QTMIN}:5 +" + +PATCHES=( + "${FILESDIR}/${P}-CVE-2020-16116.patch" + "${FILESDIR}/${P}-CVE-2020-24654.patch" +) + +src_configure() { + local mycmakeargs=( + $(cmake_use_find_package zip LibZip) + ) + + ecm_src_configure +} + +src_test() { + local myctestargs=( + -E "(plugins-clirartest)" + ) + + ecm_src_test +} + +pkg_postinst() { + if [[ -z "${REPLACING_VERSIONS}" ]]; then + elog "Optional dependencies:" + optfeature "rar archive creation/extraction" app-arch/rar + optfeature "rar archive extraction only" app-arch/unar app-arch/unrar + optfeature "7-Zip archive support" app-arch/p7zip + optfeature "lrz archive support" app-arch/lrzip + optfeature "markdown support in text previews" kde-misc/markdownpart:${SLOT} kde-misc/kmarkdownwebview:${SLOT} + fi + ecm_pkg_postinst +} diff --git a/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch b/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch new file mode 100644 index 00000000000..8b3821893ef --- /dev/null +++ b/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch @@ -0,0 +1,53 @@ +From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Tue, 25 Aug 2020 22:14:37 +0200 +Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive + +There are archive types which allow to first create a symlink and then +later on dereference it. If the symlink points outside of the archive, +this results in writing outside of the destination directory. + +With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids +this situation by verifying that none of the target path components are +symlinks before writing. + +Remove the commented out code in the method, which would actually +misbehave if enabled again. + +Signed-off-by: Fabian Vogt +--- + plugins/libarchive/libarchiveplugin.cpp | 18 +++--------------- + 1 file changed, 3 insertions(+), 15 deletions(-) + +diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp +index 50e81da1..8a0fed21 100644 +--- a/plugins/libarchive/libarchiveplugin.cpp ++++ b/plugins/libarchive/libarchiveplugin.cpp +@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry) + + int LibarchivePlugin::extractionFlags() const + { +- int result = ARCHIVE_EXTRACT_TIME; +- result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; +- +- // TODO: Don't use arksettings here +- /*if ( ArkSettings::preservePerms() ) +- { +- result &= ARCHIVE_EXTRACT_PERM; +- } +- +- if ( !ArkSettings::extractOverwrite() ) +- { +- result &= ARCHIVE_EXTRACT_NO_OVERWRITE; +- }*/ +- +- return result; ++ return ARCHIVE_EXTRACT_TIME ++ | ARCHIVE_EXTRACT_SECURE_NODOTDOT ++ | ARCHIVE_EXTRACT_SECURE_SYMLINKS; + } + + void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress) +-- +GitLab +