ark: update to 20.08.0.
This commit is contained in:
parent
46794cf3e8
commit
bbde9aeeaf
3 changed files with 3 additions and 50 deletions
|
@ -1,46 +0,0 @@
|
|||
From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001
|
||||
From: Elvis Angelaccio <elvis.angelaccio@kde.org>
|
||||
Date: Wed, 29 Jul 2020 23:45:30 +0200
|
||||
Subject: [PATCH] Fix vulnerability to path traversal attacks
|
||||
|
||||
Ark was vulnerable to directory traversal attacks because of
|
||||
missing validation of file paths in the archive.
|
||||
|
||||
More details about this attack are available at:
|
||||
https://github.com/snyk/zip-slip-vulnerability
|
||||
|
||||
Job::onEntry() is the only place where we can safely check the path of
|
||||
every entry in the archive. There shouldn't be a valid reason
|
||||
to have a "../" in an archive path, so we can just play safe and abort
|
||||
the LoadJob if we detect such an entry. This makes impossibile to
|
||||
extract this kind of malicious archives and perform the attack.
|
||||
|
||||
Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath()
|
||||
so that we can still allow loading of legitimate archives that
|
||||
contain "../" in their paths but still resolve inside the extraction folder.
|
||||
---
|
||||
kerfuffle/jobs.cpp | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp
|
||||
index fdaa48695..f73b56f86 100644
|
||||
--- a/kerfuffle/jobs.cpp
|
||||
+++ b/kerfuffle/jobs.cpp
|
||||
@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details)
|
||||
|
||||
void Job::onEntry(Archive::Entry *entry)
|
||||
{
|
||||
+ const QString entryFullPath = entry->fullPath();
|
||||
+ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
|
||||
+ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
|
||||
+ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
|
||||
+ onFinished(false);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
emit newEntry(entry);
|
||||
}
|
||||
|
||||
--
|
||||
GitLab
|
||||
|
|
@ -1 +0,0 @@
|
|||
-Np1
|
|
@ -1,7 +1,7 @@
|
|||
# Template file for 'ark'
|
||||
pkgname=ark
|
||||
version=20.04.3
|
||||
revision=2
|
||||
version=20.08.0
|
||||
revision=1
|
||||
build_style=cmake
|
||||
hostmakedepends="extra-cmake-modules qt5-devel qt5-qmake
|
||||
kdoctools kconfig gettext pkg-config"
|
||||
|
@ -11,7 +11,7 @@ maintainer="John <me@johnnynator.dev>"
|
|||
license="GPL-2.0-or-later"
|
||||
homepage="https://kde.org/applications/en/utilities/org.kde.ark"
|
||||
distfiles="${KDE_SITE}/release-service/${version}/src/${pkgname}-${version}.tar.xz"
|
||||
checksum=e7251b0b6f12291ffbaa328bf7f8e101ebeef6fd110dabbcf76d8ad7cfd305bc
|
||||
checksum=7627ffa17466d31dfdedabaa07b491ce14b46041d04f8b20316a0fa731fab098
|
||||
|
||||
if [ "$CROSS_BUILD" ]; then
|
||||
hostmakedepends+=" python3 kcoreaddons kparts"
|
||||
|
|
Loading…
Reference in a new issue