From 6a2bc22ca76a5474d53ed8e5d204c188e5110b60 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Wed, 5 Feb 2025 12:56:28 +0800 Subject: [PATCH] fix CVE-2024-57966 --- ark.spec | 6 +++- backport-CVE-2024-57966.patch | 53 +++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-57966.patch diff --git a/ark.spec b/ark.spec index 63c83f4..9c8c0cd 100644 --- a/ark.spec +++ b/ark.spec @@ -1,7 +1,7 @@ Name: ark Summary: Archive manager Version: 23.08.4 -Release: 2 +Release: 3 License: GPLv2+ URL: https://www.kde.org/applications/utilities/ark/ @@ -9,6 +9,7 @@ URL: https://www.kde.org/applications/utilities/ark/ %global stable %stable_kf5 Source0: http://download.kde.org/%{stable}/release-service/%{version}/src/%{name}-%{version}.tar.xz +Patch6001: backport-CVE-2024-57966.patch BuildRequires: bzip2-devel BuildRequires: desktop-file-utils @@ -103,6 +104,9 @@ desktop-file-validate %{buildroot}%{_kf5_datadir}/applications/org.kde.ark.deskt %changelog +* Tue Feb 04 2025 Funda Wang - 23.08.4-3 +- fix CVE-2024-57966 + * Fri Nov 15 2024 ChenYanpan - 23.08.4-2 - adapt to the new CMake macros to fix build failure diff --git a/backport-CVE-2024-57966.patch b/backport-CVE-2024-57966.patch new file mode 100644 index 0000000..c4fafe6 --- /dev/null +++ b/backport-CVE-2024-57966.patch @@ -0,0 +1,53 @@ +From fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58 Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Thu, 7 Nov 2024 14:47:26 +0100 +Subject: [PATCH] Treat absolute paths as relative paths during extraction + +Tell libarchive to use the path for extraction that Ark uses internally. +In addition, set the ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS flag to avoid +that absolute paths are used by accident. + +(cherry picked from commit cc9ea9e89c1c679d398809e94f1217b1f73c4b48) +--- + plugins/libarchive/libarchiveplugin.cpp | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp +index 8d489f58f..9b47bae8c 100644 +--- a/plugins/libarchive/libarchiveplugin.cpp ++++ b/plugins/libarchive/libarchiveplugin.cpp +@@ -307,6 +307,11 @@ + entryName.remove(0, 1); + } + ++ // If this ends up empty (e.g. from // or ./), convert to ".". ++ if (entryName.isEmpty()) { ++ entryName = QStringLiteral("."); ++ } ++ + // Should the entry be extracted? + if (extractAll || + remainingFiles.contains(entryName) || +@@ -321,10 +326,12 @@ + continue; + } + +- // entryFI is the fileinfo pointing to where the file will be ++ // Make sure libarchive uses the same path as we expect, based on transformations and renames, ++ qCDebug(ARK) << "setting path to " << entryName; ++ archive_entry_copy_pathname(entry, QFile::encodeName(entryName).constData()); ++ // entryFI is the fileinfo pointing to where the file will be + // written from the archive. + QFileInfo entryFI(entryName); +- //qCDebug(ARK) << "setting path to " << archive_entry_pathname( entry ); + + if (isSingleFile && fileBeingRenamed.isEmpty()) { + // Rename extracted file from libarchive-internal "data" name to the archive uncompressed name. +@@ -568,6 +575,7 @@ + int LibarchivePlugin::extractionFlags() const + { + return ARCHIVE_EXTRACT_TIME ++ | ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS + | ARCHIVE_EXTRACT_SECURE_NODOTDOT + | ARCHIVE_EXTRACT_SECURE_SYMLINKS; + } -- Gitee