FreeBSD: VID-D1EF1138-D273-11EA-A757-E0D55E2A8BF9 (CVE-2020-16116): ark -- directory traversal

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-D1EF1138-D273-11EA-A757-E0D55E2A8BF9:

KDE Project Security Advisory reports:

KDE Project Security Advisory

Title:

Ark: maliciously crafted archive can install files outside the extraction directory.

Risk Rating:

Important

CVE:

CVE-2020-16116

Versions:

ark <= 20.04.3

Author:

Elvis Angelaccio <elvis.angelaccio@kde.org>

Date:

30 July 2020

Overview

A maliciously crafted archive with "../" in the file paths

would install files anywhere in the user's home directory upon extraction.

Proof of concept

For testing, an example of malicious archive can be found at

https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip

Impact

Users can unwillingly install files like a modified .bashrc, or a malicious

script placed in ~/.config/autostart

Workaround

Users should not use the 'Extract' context menu from the Dolphin file manager.

Before extracting a downloaded archive using the Ark GUI, users should inspect it

to make sure it doesn't contain entries with "../" in the file path.

Solution

Ark 20.08.0 prevents loading of malicious archives and shows a warning message

to the users.

Alternatively,

https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f

can be applied to previous releases.

Credits

Thanks to Dominik Penner for finding and reporting this issue and thanks to

Elvis Angelaccio and Albert Astals Cid for fixing it.