Bug#969437: marked as done (ark: CVE-2020-24654)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 05 Sep 2020 17:02:16 +0000
with message-id <E1kEbZw-000BOr-8T@fasolo.debian.org>
and subject line Bug#969437: fixed in ark 4:18.08.3-1+deb10u2
has caused the Debian Bug report #969437,
regarding ark: CVE-2020-24654
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
969437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969437
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ark: CVE-2020-24654
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 02 Sep 2020 22:41:16 +0200
• Message-id: <[🔎] 159907927632.146404.7384557733505900647.reportbug@eldamar.local>

Source: ark
Version: 4:20.08.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ark.

CVE-2020-24654[0]:
| In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can
| install files outside the extraction directory, as demonstrated by a
| write operation to a user's home directory.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-24654
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24654
[1] https://kde.org/info/security/advisory-20200827-1.txt
[2] https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 969437-close@bugs.debian.org
• Subject: Bug#969437: fixed in ark 4:18.08.3-1+deb10u2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 05 Sep 2020 17:02:16 +0000
• Message-id: <E1kEbZw-000BOr-8T@fasolo.debian.org>
• Reply-to: Salvatore Bonaccorso <carnil@debian.org>

Source: ark
Source-Version: 4:18.08.3-1+deb10u2
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
ark, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 969437@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ark package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 03 Sep 2020 23:23:48 +0200
Source: ark
Architecture: source
Version: 4:18.08.3-1+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 969437
Changes:
 ark (4:18.08.3-1+deb10u2) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive
     (CVE-2020-24654) (Closes: #969437)
Checksums-Sha1:
 e6da525e35792da075375bde6eb78bfd211d869e 3084 ark_18.08.3-1+deb10u2.dsc
 a75af1c997b022f971b6326f203c3fe509b9b3d6 15592 ark_18.08.3-1+deb10u2.debian.tar.xz
 02d3ba6d1f418b9d6384f9bcca2fcea2499ce581 6311 ark_18.08.3-1+deb10u2_source.buildinfo
Checksums-Sha256:
 a32b262fcadab51ab273ee21e2a235a201f78504b2d8b7d2e21f8807c9ce72ad 3084 ark_18.08.3-1+deb10u2.dsc
 c7354de3fc09a00c4125442019faa3b8ede1b3fa33feb6ec12bd5b243529958d 15592 ark_18.08.3-1+deb10u2.debian.tar.xz
 23013f017f36817a2ff41254e9c2b8e6b2366b57ff6c244599179b199371a1f6 6311 ark_18.08.3-1+deb10u2_source.buildinfo
Files:
 d9554bdcc1410fe9e44a8d7134947c3f 3084 kde optional ark_18.08.3-1+deb10u2.dsc
 c08f77cb60a9ba16bd0d3ec355da77d9 15592 kde optional ark_18.08.3-1+deb10u2.debian.tar.xz
 1c8f2ebd41a76191a8cc44f4de6a3a85 6311 kde optional ark_18.08.3-1+deb10u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl9RX4NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EH40P/0Ingo7wWDr6XfxAVyt2+Rl2KMxyH1fb
3pTuWg3UO3bI3oGQPqt9eOjSBFbThKQXOMnDIPWkolQKyghlYYTaWoz9Eg3Jl3AC
/ZxSZVZi5f6dgPw+255CS0Unr+FCAnFbr1OVkTRlYQd2xLuwRxG/8wyGTMg4sqoV
E4FxIjxj6ZawARbJVoDM4GX8yx9l/We3nQ/ms5Z8di9nzmLvhjiUFEere1B3/DLZ
EfgIVllQLa8pklTRulkr5f+M5HwJilegjiQjI8bjfiIKM9K3u8INKRNUvXmzITdT
YDIol9Q2OO5PwrwanLtqiVbHQBm2EoFRGnKkzul26MLYt9PWXvMo6L6ARpc08OnP
RjwG6QQ+fqWhkGq4hMs6lDg3DcnJPzbQAjUDoKloHNtO2FLxNR1LsbBwbDJTSvbR
VZJOmsWjZTtWheK4xRm9GvpK4ahOP9MBaHcUoUEho3O/tGhKed0Lfd8G2a0T2Y+e
AkIaPvYV3mmUjpsZZNgvD/JcK0lEPVqdmp3aE8X27nc3CcJIEZUjcNuC//3hOfJg
aS5NMHqStr+eLs9C3sk8mBRYNUTTPEKE+xYigu0G3YSdNGWe3fb9l+lxI+EAmywu
5eI2T/w6uLbdahjpPO0JsRf1GvFDgxzjzVNEPGSZL/+BgirD/OfX07fauzoaeDsV
wP/qIf9sRNHj
=BTBB
-----END PGP SIGNATURE-----

--- End Message ---