FreeBSD: VID-d1ef1138-d273-11ea-a757-e0d55e2a8bf9 (CVE-2020-16116): ark -- directory traversal

KDE Project Security Advisory reports: KDE Project Security Advisory Title: Ark: maliciously crafted archive can install files outside the extraction directory. Risk Rating: Important CVE: CVE-2020-16116 Versions: ark <= 20.04.3 Author: Elvis Angelaccio <[email protected]> Date: 30 July 2020 Overview A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction. Proof of concept For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip Impact Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart Workaround Users should not use the 'Extract' context menu from the Dolphin file manager. Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain entries with "../" in the file path. Solution Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users. Alternatively, https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f can be applied to previous releases. Credits Thanks to Dominik Penner for finding and reporting this issue and thanks to Elvis Angelaccio and Albert Astals Cid for fixing it.