mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-30 10:38:37 +00:00
Code Issues Releases Activity
9f15be52f8
freebsd-ports/archivers
History
Tobias C. Berner 054311d725 archivers/ark: fix vulnerability in tar extraction 
KDE Project Security Advisory
=============================

Title:           Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
Risk Rating:     Important
CVE:             CVE-2020-24654
Versions:        ark <= 20.08.0
Author:          Elvis Angelaccio <elvis.angelaccio@kde.org>
Date:            27 August 2020

Overview
========

A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.

Proof of concept
================

For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar

Impact
======

Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart.

Workaround
==========

Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain symlink entries pointing outside the extraction folder.

The 'Extract' context menu from the Dolphin file manager shouldn't be used.

Solution
========

Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.

Alternatively, 8bf8c5ef07 can be applied to previous
releases.

Credits
=======

Thanks to Fabian Vogt for reporting this issue and for fixing it.

MFH:		2020Q3
Security:	CVE-2020-24654
2020-08-28 05:47:31 +00:00
..
9e
advancecomp
amigadepacker
arc Fix build. 2020-08-20 04:43:54 +00:00
arj Pet portlint: Declare USES early 2020-07-23 19:23:58 +00:00
ark archivers/ark: fix vulnerability in tar extraction 2020-08-28 05:47:31 +00:00
atool
bicom
brotli Update from 1.0.7 to 1.0.9. 2020-08-27 14:45:38 +00:00
bzip First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
bzip2
c-blosc - Update WWW 2020-06-01 09:32:50 +00:00
cabextract Remove no-op command 2020-01-20 20:09:34 +00:00
dact
deb2targz
deco
deutex
dpkg
dzip - Install `Readme' file as documentation 2020-02-08 10:34:21 +00:00
ecm
engrampa Update to 1.24.0 2020-06-12 07:49:30 +00:00
erlang-snappy
fastjar
file-roller
fpc-bzip2
fpc-unzip
gcab Update to 1.3 2019-12-16 10:36:03 +00:00
gcpio Actually bump PORTREVISION after fixing -fno-common build. 2020-08-24 14:56:43 +00:00
gnome-autoar Update to 0.2.4 2019-12-16 08:49:02 +00:00
grzip
gtar
gzip
gzrecover
ha
hlextract
innoextract devel/boost-*: update to 1.72.0 2019-12-11 17:53:48 +00:00
javatar
jzlib
kf5-karchive KDE Frameworks: update to 5.73.0 2020-08-09 15:25:19 +00:00
kzip
laszip Update to 3.4.3 2020-07-04 08:08:39 +00:00
lazperf archivers/lazperf: Update to 1.4.4 2020-04-19 15:58:04 +00:00
lbrate
lbzip2
lcab First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
lha First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
lha-ac Mk/bsd.sites.mk: Update URL of MASTER_SITE_OSDN to one that supports geographical load balancing 2020-07-24 06:28:59 +00:00
lhasa
lib1541img Regular USE_GITHUB cleanup. 2020-05-20 15:49:37 +00:00
libarc
libarchive Update to 3.4.3 2020-05-22 01:58:05 +00:00
libcabinet
libcomprex
libdeflate Update to version 1.6. 2020-05-13 07:43:02 +00:00
libdynamite
liblz4 Bump PORTREVISION after man page move, it has an impact on 1 reverse dep 2020-01-19 17:19:13 +00:00
liblzxcomp First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
libmspack - Add LICENSE_FILE 2020-03-25 09:32:14 +00:00
libpar2
librtfcomp Convert REINPLACE_CMD to patch file 2020-02-08 19:01:35 +00:00
libunrar Update MAINTAINER: use @FreeBSD.org 2020-02-13 14:27:46 +00:00
libunrar5
libzip
linux-c7-lz4
lizard Change MAINTAINER email address to FreeBSD.org one 2020-04-13 03:15:19 +00:00
lrzip
lua-lzlib USES=lua gained flavors. 2020-04-14 15:49:36 +00:00
lua-zlib USES=lua gained flavors. 2020-04-14 15:49:36 +00:00
lzfse
lzip
lziprecover
lzlib archivers/lzlib: update to 1.11. 2020-02-09 20:45:07 +00:00
lzma - Update WWW 2020-02-15 09:31:24 +00:00
lzmalib
lzo2
lzop WWW/DL link maintenance in pkg-descr and Makefile 2020-04-26 13:51:54 +00:00
makeself
mar First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
maxcso
minizip Change my mail address to lbartoletti@FreeBSD.org 2020-01-14 21:45:15 +00:00
mscompress First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
mtf
nomarch First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
nwreckdum
ocaml-bz2
ocaml-zip
opkg-openwrt
p5-Archive-Any
p5-Archive-Any-Lite
p5-Archive-Any-Plugin-Rar
p5-Archive-Extract Update to 0.86 2020-01-13 17:43:37 +00:00
p5-Archive-Extract-Libarchive
p5-Archive-Peek
p5-Archive-Rar
p5-Archive-SimpleExtractor
p5-Archive-Tar
p5-Archive-Tar-Wrapper
p5-Archive-Zip Update to 1.68 2020-03-28 12:47:20 +00:00
p5-Compress-Bzip2
p5-Compress-LZ4
p5-Compress-LZF
p5-Compress-LZO
p5-Compress-LZW
p5-Compress-Raw-Bzip2 Update to 2.096 2020-08-08 10:17:34 +00:00
p5-Compress-Raw-Lzma Update to 2.096 2020-08-08 10:17:39 +00:00
p5-Compress-Raw-Zlib Update to 2.096 2020-08-08 10:17:44 +00:00
p5-Compress-Snappy
p5-Gzip-Faster
p5-IO-Compress Update to 2.096 2020-08-08 10:17:49 +00:00
p5-IO-Compress-Brotli
p5-IO-Compress-Lzf Update to 2.096 2020-08-08 10:17:54 +00:00
p5-IO-Compress-Lzma Update to 2.096 2020-08-08 10:17:59 +00:00
p5-IO-Compress-Lzop Update to 2.096 2020-08-08 10:18:03 +00:00
p5-IO-Zlib
p5-Mac-Macbinary
p5-PerlIO-gzip
p5-PerlIO-via-Bzip2
p5-POE-Filter-Bzip2
p5-POE-Filter-LZF
p5-POE-Filter-LZO
p5-POE-Filter-LZW
p5-POE-Filter-Zlib
p7zip archivers/p7zip: fix build on powerpc64 2020-03-14 21:04:01 +00:00
p7zip-codec-rar
packddir Sanitize COMMENT per Section 5.6 of the FreeBSD Porter's Handbook (part 5). 2020-05-28 07:51:53 +00:00
paq
par First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
par2cmdline Change upstream and update to much newer version 0.8.1 2020-08-19 10:10:37 +00:00
par2cmdline-tbb Update devel/tbb to 2020.3 and bump dependent ports' revisions 2020-07-17 10:12:25 +00:00
parchive
pbzip2 First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
pear-File_Archive hand over Maintainership to miwi 2020-03-06 17:05:44 +00:00
pear-Horde_Compress
pear-Horde_Compress_Fast
pear-Horde_Pack
pear-PHP_Archive hand over Maintainership to miwi 2020-03-06 17:05:44 +00:00
peazip - Pet portlint 2020-05-25 09:32:46 +00:00
pecl-lzf Update to 1.6.8 2020-07-19 14:40:46 +00:00
pecl-rar hand over Maintainership to miwi 2020-03-06 17:05:44 +00:00
php72-bz2
php72-phar
php72-zip
php72-zlib
php73-bz2
php73-phar
php73-zip
php73-zlib
php74-bz2
php74-phar
php74-zip
php74-zlib
php-brotli
php-horde_lz4
php-lz4 Sanitize COMMENT per Section 5.6 of the FreeBSD Porter's Handbook (part 1). 2020-05-27 11:59:13 +00:00
php-snappy Update to 0.1.11 2020-08-02 09:29:13 +00:00
php-zstd Sanitize COMMENT per Section 5.6 of the FreeBSD Porter's Handbook (part 1). 2020-05-27 11:59:13 +00:00
pigz First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
pixz Update to 1.0.6. 2020-03-16 19:08:57 +00:00
plzip
ppmd
ppmd-7z
ppunpack
pxz First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
py-acefile
py-borgbackup archivers/py-borgbackup: Update to 1.1.13 2020-06-09 11:08:59 +00:00
py-brotli
py-brotlipy
py-bz2file
py-libarchive-c
py-lz4
py-lzma - Unbreak package build on ARM arch 2020-04-12 01:22:10 +00:00
py-lzstring
py-pyliblzma - Update WWW 2020-02-26 09:31:54 +00:00
py-python-lhafile
py-python-lzo
py-python-snappy
py-rarfile Update to 4.0 2020-08-04 03:27:18 +00:00
py-rcssmin
py-rjsmin Updated to 1.1.0 2020-01-17 06:41:30 +00:00
py-warctools
py-xopen
py-zopfli Update to 0.1.7 2019-12-08 17:00:40 +00:00
py-zstandard archivers/py-zstandard: Update 0.13.0 -> 0.14.0 2020-06-15 05:39:09 +00:00
py-zstd archivers/py-zstd: Update 1.4.4.0 -> 1.4.5.1 2020-06-19 06:09:14 +00:00
qpress Update MAINTAINER: use @FreeBSD.org 2020-02-13 14:27:46 +00:00
quazip archivers/quazip: update to 0.9.1 2020-05-25 13:13:43 +00:00
R-cran-zip math/R: Update to version 4.0.0 2020-05-05 16:07:53 +00:00
rar Update distinfo for i386 2020-07-09 18:08:17 +00:00
rpm2cpio
rpm4 Multiple ports: improve regex compliance 2020-06-08 04:41:31 +00:00
rubygem-archive-tar-minitar
rubygem-archive-zip
rubygem-bzip2-ruby
rubygem-fpm Update version requirement of RUN_DEPENDS 2020-08-23 19:41:29 +00:00
rubygem-libarchive
rubygem-minitar
rubygem-minitar-cli
rubygem-ruby-xz Cosmetic change 2020-01-23 04:23:19 +00:00
rubygem-rubyzip Update to 2.3.0 2020-03-28 12:56:14 +00:00
rubygem-rubyzip2
rubygem-rubyzip13 Add rubygem-rubyzip13 1.3.0 (copied from rubygem-rubyzip) 2020-01-31 16:08:34 +00:00
rubygem-rubyzip20 Add rubygem-rubyzip20 2.0.0 (copied from rubygem-rubyzip) 2020-02-02 10:54:51 +00:00
rubygem-snappy
rvm
rzip Set the install-path via configure instead of patching Makefile.in 2020-02-13 23:42:42 +00:00
sectar
sharutils
snappy Update to 1.1.8. 2020-01-22 00:12:31 +00:00
snappy-java archivers/snappy-java: fix build on aarch64 2020-06-11 17:29:56 +00:00
snzip
squsq
star
stuffit
szip
tar-stream-chunker archivers/tar-stream-chunker: Update to 1.0.6 2020-07-26 14:45:11 +00:00
tardy devel/boost-*: update to 1.72.0 2019-12-11 17:53:48 +00:00
thunar-archive-plugin
torrentzip
ucl
unace
unadf archivers/unadf: Move to USE_GITHUB 2020-07-22 14:59:51 +00:00
unalz
unarchiver devel/icu: update to 67.1 2020-04-23 20:14:49 +00:00
unarj
unarr
undms
unfoo - Update WWW 2020-06-28 09:35:07 +00:00
unlzx
unmakeself
unmass
unrar Update to 5.91 2020-07-08 18:55:09 +00:00
unrar-iconv
unshield Update manpage location (r523104) 2020-05-08 20:50:24 +00:00
unzip First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
unzoo First pass at moving manpages to share/man for category a* 2020-01-16 09:34:42 +00:00
upx Fix build with clang 10 2020-03-17 17:45:47 +00:00
urbackup-client archivers/urbackup-client: Remove build fixes for security/cryptopp >= 6.0.0 2020-08-27 17:01:34 +00:00
urbackup-server archivers/urbackup-server: Remove build fixes for security/cryptopp >= 6.0.0 2020-08-27 17:01:02 +00:00
v1541commander Regular USE_GITHUB cleanup. 2020-05-20 15:49:37 +00:00
xar
xarchive
xarchiver
xdms
xmill
xpk
zip Update WWW 2020-02-03 19:47:52 +00:00
zip-ada
zipmix
zipper
zoo Really fix `archivers/zoo' on 64-bit machines. When PR 162804 had been 2020-07-01 10:27:06 +00:00
zopfli Build and install static library 2019-12-08 16:51:51 +00:00
zstd Change build system from gmake to meson 2020-08-19 16:26:38 +00:00
zutils - Update to 1.9 2020-08-12 16:43:02 +00:00
Makefile Remove deprecated ports: 2020-08-15 10:50:58 +00:00