Bugzilla – Bug 1175857
VUL-0: CVE-2020-24654: ark: maliciously crafted TAR archive can install files outside the extraction directory
Last modified: 2020-12-31 07:25:25 UTC
https://kde.org/info/security/advisory-20200827-1.txt Overview ======== A maliciously crafted TAR archive containing symlink entries would install files anywhere in the user's home directory upon extraction. Solution ======== Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives. Alternatively, https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases.
Submission to devel prj: sr 830086 Maintenance request: sr 830088
This is an autogenerated message for OBS integration: This bug (1175857) was mentioned in https://build.opensuse.org/request/show/830088 15.1+15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / ark
openSUSE-SU-2020:1310-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1175857 CVE References: CVE-2020-24654 JIRA References: Sources used: openSUSE Leap 15.2 (src): ark-20.04.2-lp152.2.6.1 openSUSE Leap 15.1 (src): ark-18.12.3-lp151.2.7.1 openSUSE Backports SLE-15-SP1 (src): ark-18.12.3-bp151.3.6.1
openSUSE-SU-2020:1310-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1175857 CVE References: CVE-2020-24654 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): ark-20.04.2-bp152.2.6.1
released