Bug#969437: marked as done (ark: CVE-2020-24654)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 03 Sep 2020 14:33:39 +0000
with message-id <E1kDqJ1-0004eu-QY@fasolo.debian.org>
and subject line Bug#969437: fixed in ark 4:20.08.1-1
has caused the Debian Bug report #969437,
regarding ark: CVE-2020-24654
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
969437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969437
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ark: CVE-2020-24654
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 02 Sep 2020 22:41:16 +0200
• Message-id: <[🔎] 159907927632.146404.7384557733505900647.reportbug@eldamar.local>

Source: ark
Version: 4:20.08.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ark.

CVE-2020-24654[0]:
| In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can
| install files outside the extraction directory, as demonstrated by a
| write operation to a user's home directory.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-24654
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24654
[1] https://kde.org/info/security/advisory-20200827-1.txt
[2] https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 969437-close@bugs.debian.org
• Subject: Bug#969437: fixed in ark 4:20.08.1-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Thu, 03 Sep 2020 14:33:39 +0000
• Message-id: <E1kDqJ1-0004eu-QY@fasolo.debian.org>
• Reply-to: Pino Toscano <pino@debian.org>

Source: ark
Source-Version: 4:20.08.1-1
Done: Pino Toscano <pino@debian.org>

We believe that the bug you reported is fixed in the latest version of
ark, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 969437@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated ark package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 03 Sep 2020 16:19:56 +0200
Source: ark
Architecture: source
Version: 4:20.08.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Pino Toscano <pino@debian.org>
Closes: 969437
Changes:
 ark (4:20.08.1-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release:
     - fixes CVE-2020-24654 (Closes: #969437)
   * Update lintian overrides.
Checksums-Sha1:
 ef42478bed379b671d0e429eb8985080c3023baa 2864 ark_20.08.1-1.dsc
 8be2b8e52e9e79d7861df647b8a810ea6edc31a0 2709500 ark_20.08.1.orig.tar.xz
 0f1ff0148db407974d3e7fa58e9be374ad7c0bc2 488 ark_20.08.1.orig.tar.xz.asc
 40c1a83ced6bb8925a2e5d06b10c782fd702831e 15168 ark_20.08.1-1.debian.tar.xz
 d19f8bf6186f8110a23de90657f7317430d250a3 19992 ark_20.08.1-1_source.buildinfo
Checksums-Sha256:
 7969f4afdad48699d853e8f980aef47eae385d5f3dc9e78075f971c503f6c9c2 2864 ark_20.08.1-1.dsc
 32e8546b186b88efc9d4688e02def0b6225d921f9b92cfcd328417f09ec0f725 2709500 ark_20.08.1.orig.tar.xz
 29a66868d0229182279a848682a6491932284ccc32b29711b363dffe5c289631 488 ark_20.08.1.orig.tar.xz.asc
 72c56ad589e7e706ae8460437d628235d2bb43e78d851e752db279343a4ad0b8 15168 ark_20.08.1-1.debian.tar.xz
 53e7e74f97fea4f9d84435f129fc33bc86e11890e32207669dcbedb1287d70c1 19992 ark_20.08.1-1_source.buildinfo
Files:
 dd668b1eb6f37631eb5e09d52824e276 2864 kde optional ark_20.08.1-1.dsc
 2c557f4d866747854372cef17143d04d 2709500 kde optional ark_20.08.1.orig.tar.xz
 e623b305e5e934d37e3a28793b69e1af 488 kde optional ark_20.08.1.orig.tar.xz.asc
 d6e912fd5ee0e91fe362b49abb06b636 15168 kde optional ark_20.08.1-1.debian.tar.xz
 4560d20a1270acd6d0f76da78e13bcd7 19992 kde optional ark_20.08.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAl9Q+70ACgkQLRkciEOx
P018vA//UP84Bu6z1yNlodw4LsRTjg/YI7EUzICnmRLkrK+b52fdD4y2dBRjXJvi
xofR7T8VQ5mhbRnZMoKXZvYiTe3dnjepj9nyCStNJN+l2lKyLr9Ir09JA4I0XW4U
URmJBKESeFLVsg7jAAJUiP4FvbCvnr0FbSfpeK+cr7UoMsheRuyTmNQGT2xLmq8J
gqIAbl/upeTcvKXm2n2ZGwSEuUVMTqMTU1/fGW3f5Svzsx6DMaLC5CHba/MReL76
hmGeQsxnCtRrDgQ7hyfS3Wi2UiBk61rYo+ANy1PCwgQ9djoj/o7PKnRHye/qdBiw
ukMrcuHH7+EcxM0v5dNf4TGs50T/mM30wzqNqOm4+6WVrGtGC0Hxjfp1SF5qvt4e
BlWcTWlokw9PbhJw9y6Uk1zVGF/LSSMKDFfTVkN+2fnO/N/qqzLvzRZsrOv22mR9
jxanL1Q9nW0rbYZRD65GKSU+RrkhKmP+3GJ7qfWZMSGFLoeZH56K+g2ZIK0Kev8n
GcOSTO3JOrJPSlKf0eBlOUyq+FWBONVAkImIQYEMK6Ve5gSP8vD7e6Qswh5EVS86
7kARIfrSL8urR2KueFTUEqVoE/4Cg/gk9mZZfAjPvJHfl5Mqk45AGjHmzNgMK7us
YJyhTU8A4bpHKTf78svXhlCSg3KfL6iZe7We1OcxxSFIgUqqjgA=
=ZXxQ
-----END PGP SIGNATURE-----

--- End Message ---