CVS commit: pkgsrc/archivers/ark

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/archivers/ark
From: "Mark Davies" <markd%netbsd.org@localhost>
Date: Sun, 20 Sep 2020 11:05:31 +0000

Module Name:    pkgsrc
Committed By:   markd
Date:           Sun Sep 20 11:05:31 UTC 2020

Modified Files:
        pkgsrc/archivers/ark: Makefile distinfo
Added Files:
        pkgsrc/archivers/ark/patches: patch-kerfuffle_jobs.cpp
            patch-plugins_libarchive_libarchiveplugin.cpp

Log Message:
ark: patches for CVE-2020-16116 and CVE-2020-24654


To generate a diff of this commit:
cvs rdiff -u -r1.61 -r1.62 pkgsrc/archivers/ark/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/archivers/ark/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/archivers/ark/patches/patch-kerfuffle_jobs.cpp \
    pkgsrc/archivers/ark/patches/patch-plugins_libarchive_libarchiveplugin.cpp

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/archivers/ark/Makefile
diff -u pkgsrc/archivers/ark/Makefile:1.61 pkgsrc/archivers/ark/Makefile:1.62
--- pkgsrc/archivers/ark/Makefile:1.61  Tue Aug 18 17:57:33 2020
+++ pkgsrc/archivers/ark/Makefile       Sun Sep 20 11:05:31 2020
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.61 2020/08/18 17:57:33 leot Exp $
+# $NetBSD: Makefile,v 1.62 2020/09/20 11:05:31 markd Exp $
 
 DISTNAME=      ark-${KAPPSVER}
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    x11
 
 HOMEPAGE=      https://kde.org/applications/utilities/ark/

Index: pkgsrc/archivers/ark/distinfo
diff -u pkgsrc/archivers/ark/distinfo:1.12 pkgsrc/archivers/ark/distinfo:1.13
--- pkgsrc/archivers/ark/distinfo:1.12  Tue Jun  9 11:56:05 2020
+++ pkgsrc/archivers/ark/distinfo       Sun Sep 20 11:05:31 2020
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.12 2020/06/09 11:56:05 markd Exp $
+$NetBSD: distinfo,v 1.13 2020/09/20 11:05:31 markd Exp $
 
 SHA1 (ark-20.04.1.tar.xz) = 8749d72169443e38514a64a850aad1f88f616422
 RMD160 (ark-20.04.1.tar.xz) = ec8435d4d5d5aeff657762ba4441acf3f6237bf7
 SHA512 (ark-20.04.1.tar.xz) = 4433b6aee95a88f7a57cca1275a25194cd721b26d38b60059b907c5f7949e75ddc76337f33ed4e07c095622f8e8ee20e9ce1158e02ff620d386fefd6e3472ff1
 Size (ark-20.04.1.tar.xz) = 2587528 bytes
+SHA1 (patch-kerfuffle_jobs.cpp) = 41684c88ef8518e9a06ddcb073cf7251f78b9a79
+SHA1 (patch-plugins_libarchive_libarchiveplugin.cpp) = 1cd5da5873f3e32f79ce0a85a1afabca28b96fcd

Added files:

Index: pkgsrc/archivers/ark/patches/patch-kerfuffle_jobs.cpp
diff -u /dev/null pkgsrc/archivers/ark/patches/patch-kerfuffle_jobs.cpp:1.1
--- /dev/null   Sun Sep 20 11:05:31 2020
+++ pkgsrc/archivers/ark/patches/patch-kerfuffle_jobs.cpp       Sun Sep 20 11:05:31 2020
@@ -0,0 +1,22 @@
+$NetBSD: patch-kerfuffle_jobs.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $
+
+https://kde.org/info/security/advisory-20200730-1.txt
+A maliciously crafted archive with "../" in the file paths would
+install files anywhere in the user's home directory upon extraction.
+
+--- kerfuffle/jobs.cpp.orig    2020-05-11 21:15:07.000000000 +0000
++++ kerfuffle/jobs.cpp
+@@ -181,6 +181,13 @@ void Job::onError(const QString & messag
+ 
+ void Job::onEntry(Archive::Entry *entry)
+ {
++    const QString entryFullPath = entry->fullPath();
++    if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
++        qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
++        onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
++        onFinished(false);
++        return;
++    }
+     emit newEntry(entry);
+ }
+ 
Index: pkgsrc/archivers/ark/patches/patch-plugins_libarchive_libarchiveplugin.cpp
diff -u /dev/null pkgsrc/archivers/ark/patches/patch-plugins_libarchive_libarchiveplugin.cpp:1.1
--- /dev/null   Sun Sep 20 11:05:31 2020
+++ pkgsrc/archivers/ark/patches/patch-plugins_libarchive_libarchiveplugin.cpp  Sun Sep 20 11:05:31 2020
@@ -0,0 +1,33 @@
+$NetBSD: patch-plugins_libarchive_libarchiveplugin.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $
+
+https://kde.org/info/security/advisory-20200827-1.txt
+A maliciously crafted TAR archive containing symlink entries would
+install files anywhere in the user's home directory upon extraction.
+
+--- plugins/libarchive/libarchiveplugin.cpp.orig       2020-05-11 21:15:07.000000000 +0000
++++ plugins/libarchive/libarchiveplugin.cpp
+@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArch
+ 
+ int LibarchivePlugin::extractionFlags() const
+ {
+-    int result = ARCHIVE_EXTRACT_TIME;
+-    result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
+-
+-    // TODO: Don't use arksettings here
+-    /*if ( ArkSettings::preservePerms() )
+-    {
+-        result &= ARCHIVE_EXTRACT_PERM;
+-    }
+-
+-    if ( !ArkSettings::extractOverwrite() )
+-    {
+-        result &= ARCHIVE_EXTRACT_NO_OVERWRITE;
+-    }*/
+-
+-    return result;
++    return ARCHIVE_EXTRACT_TIME
++           | ARCHIVE_EXTRACT_SECURE_NODOTDOT
++           | ARCHIVE_EXTRACT_SECURE_SYMLINKS;
+ }
+ 
+ void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress)

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index