Submitted By: Bruce Dubbs (bdubbs at linuxfromscratch dot org) Date: 2020-08-28 Initial Package Version: ark-20.08.0 Origin: https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd Upstream Status: Committed Description: A maliciously crafted TAR archive with symlinks can install files outside the extraction directory. diff -Naur ark-20.08.0.orig/plugins/libarchive/libarchiveplugin.cpp ark-20.08.0/plugins/libarchive/libarchiveplugin.cpp --- ark-20.08.0.orig/plugins/libarchive/libarchiveplugin.cpp 2020-08-05 02:53:26.000000000 -0500 +++ ark-20.08.0/plugins/libarchive/libarchiveplugin.cpp 2020-08-28 12:46:09.307464120 -0500 @@ -509,21 +509,9 @@ int LibarchivePlugin::extractionFlags() const { - int result = ARCHIVE_EXTRACT_TIME; - result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; - - // TODO: Don't use arksettings here - /*if ( ArkSettings::preservePerms() ) - { - result &= ARCHIVE_EXTRACT_PERM; - } - - if ( !ArkSettings::extractOverwrite() ) - { - result &= ARCHIVE_EXTRACT_NO_OVERWRITE; - }*/ - - return result; + return ARCHIVE_EXTRACT_TIME + | ARCHIVE_EXTRACT_SECURE_NODOTDOT + | ARCHIVE_EXTRACT_SECURE_SYMLINKS; } void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress)