Index: branches/2020Q3/archivers/ark/Makefile =================================================================== --- branches/2020Q3/archivers/ark/Makefile (revision 543704) +++ branches/2020Q3/archivers/ark/Makefile (revision 543705) @@ -1,46 +1,47 @@ # $FreeBSD$ PORTNAME= ark DISTVERSION= ${KDE_APPLICATIONS_VERSION} +PORTREVISION= 1 CATEGORIES= archivers kde kde-applications MAINTAINER= kde@FreeBSD.org COMMENT= Archiving tool for KDE LICENSE= GPLv2+ LICENSE_FILE= ${WRKSRC}/COPYING USES= cmake compiler:c++11-lang desktop-file-utils gettext libarchive kde:5 \ qt:5 shared-mime-info tar:xz USE_KDE= archive auth bookmarks codecs completion config configwidgets \ coreaddons crash dbusaddons doctools ecm i18n iconthemes \ itemmodels itemviews jobwidgets khtml kio parts pty service \ solid sonnet textwidgets widgetsaddons xmlgui USE_QT= concurrent core dbus gui network widgets xml \ buildtools_build qmake_build USE_LDCONFIG= yes OPTIONS_DEFINE= 7ZIP RAR ZIP DOCS OPTIONS_DEFAULT= 7ZIP ZIP DOCS OPTIONS_DEFAULT_i386= RAR OPTIONS_DEFAULT_amd64= RAR OPTIONS_SUB= YES # The 7ZIP and RAR options only need runtime dependencies; # the port builds identically with or without them. 7ZIP_DESC= Support for 7-Zip archives (runtime) 7ZIP_RUN_DEPENDS= 7z:archivers/p7zip RAR_DESC= Support for RAR archives (runtime) RAR_RUN_DEPENDS= unrar:archivers/unrar \ rar:archivers/rar ZIP_DESC= Support for ZIP archives ZIP_LIB_DEPENDS= libzip.so:archivers/libzip ZIP_CMAKE_BOOL_OFF= CMAKE_DISABLE_FIND_PACKAGE_LibZip # Override shared library version KDE_APPLICATIONS_SHLIB_VER=20.4.2 .include Index: branches/2020Q3/archivers/ark/files/patch-git_0d5952 =================================================================== --- branches/2020Q3/archivers/ark/files/patch-git_0d5952 (nonexistent) +++ branches/2020Q3/archivers/ark/files/patch-git_0d5952 (revision 543705) @@ -0,0 +1,46 @@ +From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001 +From: Elvis Angelaccio +Date: Wed, 29 Jul 2020 23:45:30 +0200 +Subject: [PATCH] Fix vulnerability to path traversal attacks + +Ark was vulnerable to directory traversal attacks because of +missing validation of file paths in the archive. + +More details about this attack are available at: +https://github.com/snyk/zip-slip-vulnerability + +Job::onEntry() is the only place where we can safely check the path of +every entry in the archive. There shouldn't be a valid reason +to have a "../" in an archive path, so we can just play safe and abort +the LoadJob if we detect such an entry. This makes impossibile to +extract this kind of malicious archives and perform the attack. + +Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath() +so that we can still allow loading of legitimate archives that +contain "../" in their paths but still resolve inside the extraction folder. +--- + kerfuffle/jobs.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp +index fdaa48695..f73b56f86 100644 +--- kerfuffle/jobs.cpp ++++ kerfuffle/jobs.cpp +@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details) + + void Job::onEntry(Archive::Entry *entry) + { ++ const QString entryFullPath = entry->fullPath(); ++ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) { ++ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath; ++ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString()); ++ onFinished(false); ++ return; ++ } ++ + emit newEntry(entry); + } + +-- +GitLab + Property changes on: branches/2020Q3/archivers/ark/files/patch-git_0d5952 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3 =================================================================== --- branches/2020Q3 (revision 543704) +++ branches/2020Q3 (revision 543705) Property changes on: branches/2020Q3 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r543704