vulnerability

FreeBSD: VID-D1EF1138-D273-11EA-A757-E0D55E2A8BF9 (CVE-2020-16116): ark -- directory traversal

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Jul 30, 2020
Added
Jul 31, 2020
Modified
Oct 20, 2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.


From VID-D1EF1138-D273-11EA-A757-E0D55E2A8BF9:




KDE Project Security Advisory reports:



KDE Project Security Advisory




Title:


Ark: maliciously crafted archive can install files outside the extraction directory.




Risk Rating:


Important




CVE:


CVE-2020-16116




Versions:


ark




Author:


Elvis Angelaccio




Date:


30 July 2020




Overview


A maliciously crafted archive with "../" in the file paths


would install files anywhere in the user's home directory upon extraction.



Proof of concept


For testing, an example of malicious archive can be found at


https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip



Impact


Users can unwillingly install files like a modified .bashrc, or a malicious


script placed in ~/.config/autostart



Workaround


Users should not use the 'Extract' context menu from the Dolphin file manager.


Before extracting a downloaded archive using the Ark GUI, users should inspect it


to make sure it doesn't contain entries with "../" in the file path.



Solution


Ark 20.08.0 prevents loading of malicious archives and shows a warning message


to the users.



Alternatively,


https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f


can be applied to previous releases.



Credits


Thanks to Dominik Penner for finding and reporting this issue and thanks to


Elvis Angelaccio and Albert Astals Cid for fixing it.




Solution

freebsd-upgrade-package-ark
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.