Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Gentoo: GLSA-202008-03 Normal: Ark Arbitrary File Overwrite Risk

gentoo
Calendar Grey August 8, 2020
Dist Gentoo Esm H88
Gentoo Security Advisory GLSA 202108-04 highlights a vulnerability in KDiskFree. Users are urged to update their systems promptly.
Ark was found to allow arbitrary file overwrite, possibly allowing arbitrary code execution.

Summary

A maliciously crafted archive with "../" in the file path(s) could install files anywhere in the user's home directory upon extraction.

Topics%20covered

Topics Covered

security advisory gentoo file overwrite arbitrary execution normal severity attack impact

Resolution

All Ark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=kde-apps/ark-20.04.3-r1"

References

[ 1 ] CVE-2020-16116 https://nvd.nist.gov/vuln/detail/CVE-2020-16116

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202008-03
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: Ark: Arbitrary code execution
Date: August 08, 2020
Bugs: #734622
ID: 202008-03

Topics%20covered

Topics Covered

security advisory gentoo file overwrite arbitrary execution normal severity attack impact

Synopsis

Ark was found to allow arbitrary file overwrite, possibly allowing arbitrary code execution.

Background

Ark is a graphical file compression/decompression utility with support for multiple formats.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 kde-apps/ark < 20.04.3-r1 >= 20.04.3-r1

Impact

===== A remote attacker could entice a user to open a specially crafted archive using Ark, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

Avoid opening untrusted archives.

Related News

Your message here