- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202101-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Ark: Symlink vulnerability
Date: January 11, 2021
Bugs: #743959
ID: 202101-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Ark was found to allow arbitrary file overwrite, possibly allowing
arbitrary code execution.
Background
==========
Ark is a graphical file compression/decompression utility with support
for multiple formats.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 kde-apps/ark < 20.04.3-r2 >= 20.04.3-r2
Description
===========
KDE Ark did not fully verify symlinks contained within tar archives.
Impact
======
A remote attacker could entice a user to open a specially crafted tar
archive using KDE Ark, possibly resulting in execution of arbitrary
code with the privileges of the process or a Denial of Service
condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All KDE Ark users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-apps/ark-20.04.3-r2"
References
==========
[ 1 ] CVE-2020-24654
https://nvd.nist.gov/vuln/detail/CVE-2020-24654
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202101-06
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2021 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Gentoo: GLSA-202101-06: Ark: Symlink vulnerability
Summary
KDE Ark did not fully verify symlinks contained within tar archives.
Resolution
All KDE Ark users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-apps/ark-20.04.3-r2"
References
[ 1 ] CVE-2020-24654
https://nvd.nist.gov/vuln/detail/CVE-2020-24654
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202101-06
Concerns
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
Severity
Severity: Normal
Title: Ark: Symlink vulnerability
Date: January 11, 2021
Bugs: #743959
ID: 202101-06
Synopsis
Ark was found to allow arbitrary file overwrite, possibly allowing
arbitrary code execution.
Background
Ark is a graphical file compression/decompression utility with support
for multiple formats.
Affected Packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 kde-apps/ark < 20.04.3-r2 >= 20.04.3-r2
Impact
A remote attacker could entice a user to open a specially crafted tar
archive using KDE Ark, possibly resulting in execution of arbitrary
code with the privileges of the process or a Denial of Service
condition.
Workaround
There is no known workaround at this time.
News
HOWTOs
Features
Secure Linux Hosting for Businesses
What Is Threat Intelligence?
CloudLinux Simplifies & Enhances Linux Security with its TuxCare Unified Enterprise Support Services
LinuxSecurity, Leading Provider of Linux Security News and Information, Unveils its New Website
Biden's New Executive Cybersecurity Order Highlights the Power of Open-Source Security
About Us
Powered By
