KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
Albert Astals Cid
aacid at kde.org
Wed Jul 29 23:18:26 BST 2020
KDE Project Security Advisory
Title: Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating: Important
Versions: ark <= 20.04.3
Author: Elvis Angelaccio <elvis.angelaccio at kde.org>
Date: 30 July 2020
A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.
Proof of concept
For testing, an example of malicious archive can be found at
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart
Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain entries with "../" in the file path.
Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.
can be applied to previous releases.
Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.
More information about the kde-announce