Index: head/archivers/ark/Makefile =================================================================== --- head/archivers/ark/Makefile (revision 546705) +++ head/archivers/ark/Makefile (revision 546706) @@ -1,46 +1,47 @@ # $FreeBSD$ PORTNAME= ark DISTVERSION= ${KDE_APPLICATIONS_VERSION} +PORTREVISION= 1 CATEGORIES= archivers kde kde-applications MAINTAINER= kde@FreeBSD.org COMMENT= Archiving tool for KDE LICENSE= GPLv2+ LICENSE_FILE= ${WRKSRC}/COPYING USES= cmake compiler:c++11-lang desktop-file-utils gettext libarchive kde:5 \ qt:5 shared-mime-info tar:xz USE_KDE= archive auth bookmarks codecs completion config configwidgets \ coreaddons crash dbusaddons doctools ecm i18n iconthemes \ itemmodels itemviews jobwidgets khtml kio parts pty service \ solid sonnet textwidgets widgetsaddons xmlgui USE_QT= concurrent core dbus gui network widgets xml \ buildtools_build qmake_build USE_LDCONFIG= yes OPTIONS_DEFINE= 7ZIP RAR ZIP DOCS OPTIONS_DEFAULT= 7ZIP ZIP DOCS OPTIONS_DEFAULT_i386= RAR OPTIONS_DEFAULT_amd64= RAR OPTIONS_SUB= YES # The 7ZIP and RAR options only need runtime dependencies; # the port builds identically with or without them. 7ZIP_DESC= Support for 7-Zip archives (runtime) 7ZIP_RUN_DEPENDS= 7z:archivers/p7zip RAR_DESC= Support for RAR archives (runtime) RAR_RUN_DEPENDS= unrar:archivers/unrar \ rar:archivers/rar ZIP_DESC= Support for ZIP archives ZIP_LIB_DEPENDS= libzip.so:archivers/libzip ZIP_CMAKE_BOOL_OFF= CMAKE_DISABLE_FIND_PACKAGE_LibZip # Override shared library version KDE_APPLICATIONS_SHLIB_VER=20.8.0 .include Index: head/archivers/ark/files/patch-cve_2020-24654 =================================================================== --- head/archivers/ark/files/patch-cve_2020-24654 (nonexistent) +++ head/archivers/ark/files/patch-cve_2020-24654 (revision 546706) @@ -0,0 +1,54 @@ +From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Tue, 25 Aug 2020 22:14:37 +0200 +Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive + +There are archive types which allow to first create a symlink and then +later on dereference it. If the symlink points outside of the archive, +this results in writing outside of the destination directory. + +With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids +this situation by verifying that none of the target path components are +symlinks before writing. + +Remove the commented out code in the method, which would actually +misbehave if enabled again. + +Signed-off-by: Fabian Vogt +--- + plugins/libarchive/libarchiveplugin.cpp | 18 +++--------------- + 1 file changed, 3 insertions(+), 15 deletions(-) + +diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp +index 50e81da1..8a0fed21 100644 +--- plugins/libarchive/libarchiveplugin.cpp ++++ plugins/libarchive/libarchiveplugin.cpp +@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry) + + int LibarchivePlugin::extractionFlags() const + { +- int result = ARCHIVE_EXTRACT_TIME; +- result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; +- +- // TODO: Don't use arksettings here +- /*if ( ArkSettings::preservePerms() ) +- { +- result &= ARCHIVE_EXTRACT_PERM; +- } +- +- if ( !ArkSettings::extractOverwrite() ) +- { +- result &= ARCHIVE_EXTRACT_NO_OVERWRITE; +- }*/ +- +- return result; ++ return ARCHIVE_EXTRACT_TIME ++ | ARCHIVE_EXTRACT_SECURE_NODOTDOT ++ | ARCHIVE_EXTRACT_SECURE_SYMLINKS; + } + + void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress) +-- +GitLab + + Property changes on: head/archivers/ark/files/patch-cve_2020-24654 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property