ark: patches for CVE-2020-16116 and CVE-2020-24654

4 files changed, 60 insertions, 3 deletions

diff --git a/archivers/ark/Makefile b/archivers/ark/Makefile
index a79da298a3f..f5fda1ccc0a 100644
--- a/archivers/ark/Makefile
+++ b/archivers/ark/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.61 2020/08/18 17:57:33 leot Exp $
+# $NetBSD: Makefile,v 1.62 2020/09/20 11:05:31 markd Exp $
 
 DISTNAME=	ark-${KAPPSVER}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	x11
 
 HOMEPAGE=	https://kde.org/applications/utilities/ark/
diff --git a/archivers/ark/distinfo b/archivers/ark/distinfo
index dd560c9cdc7..1f2e72b79d0 100644
--- a/archivers/ark/distinfo
+++ b/archivers/ark/distinfo
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.12 2020/06/09 11:56:05 markd Exp $
+$NetBSD: distinfo,v 1.13 2020/09/20 11:05:31 markd Exp $
 
 SHA1 (ark-20.04.1.tar.xz) = 8749d72169443e38514a64a850aad1f88f616422
 RMD160 (ark-20.04.1.tar.xz) = ec8435d4d5d5aeff657762ba4441acf3f6237bf7
 SHA512 (ark-20.04.1.tar.xz) = 4433b6aee95a88f7a57cca1275a25194cd721b26d38b60059b907c5f7949e75ddc76337f33ed4e07c095622f8e8ee20e9ce1158e02ff620d386fefd6e3472ff1
 Size (ark-20.04.1.tar.xz) = 2587528 bytes
+SHA1 (patch-kerfuffle_jobs.cpp) = 41684c88ef8518e9a06ddcb073cf7251f78b9a79
+SHA1 (patch-plugins_libarchive_libarchiveplugin.cpp) = 1cd5da5873f3e32f79ce0a85a1afabca28b96fcd
diff --git a/archivers/ark/patches/patch-kerfuffle_jobs.cpp b/archivers/ark/patches/patch-kerfuffle_jobs.cpp
new file mode 100644
index 00000000000..e4433f98005
--- /dev/null
+++ b/archivers/ark/patches/patch-kerfuffle_jobs.cpp
@@ -0,0 +1,22 @@
+$NetBSD: patch-kerfuffle_jobs.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $
+
+https://kde.org/info/security/advisory-20200730-1.txt
+A maliciously crafted archive with "../" in the file paths would
+install files anywhere in the user's home directory upon extraction.
+
+--- kerfuffle/jobs.cpp.orig	2020-05-11 21:15:07.000000000 +0000
++++ kerfuffle/jobs.cpp
+@@ -181,6 +181,13 @@ void Job::onError(const QString & messag
+ 
+ void Job::onEntry(Archive::Entry *entry)
+ {
++    const QString entryFullPath = entry->fullPath();
++    if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
++        qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
++        onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
++        onFinished(false);
++        return;
++    }
+     emit newEntry(entry);
+ }
+ 
diff --git a/archivers/ark/patches/patch-plugins_libarchive_libarchiveplugin.cpp b/archivers/ark/patches/patch-plugins_libarchive_libarchiveplugin.cpp
new file mode 100644
index 00000000000..3d3fc5a4d50
--- /dev/null
+++ b/archivers/ark/patches/patch-plugins_libarchive_libarchiveplugin.cpp
@@ -0,0 +1,33 @@
+$NetBSD: patch-plugins_libarchive_libarchiveplugin.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $
+
+https://kde.org/info/security/advisory-20200827-1.txt
+A maliciously crafted TAR archive containing symlink entries would
+install files anywhere in the user's home directory upon extraction.
+
+--- plugins/libarchive/libarchiveplugin.cpp.orig	2020-05-11 21:15:07.000000000 +0000
++++ plugins/libarchive/libarchiveplugin.cpp
+@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArch
+ 
+ int LibarchivePlugin::extractionFlags() const
+ {
+-    int result = ARCHIVE_EXTRACT_TIME;
+-    result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
+-
+-    // TODO: Don't use arksettings here
+-    /*if ( ArkSettings::preservePerms() )
+-    {
+-        result &= ARCHIVE_EXTRACT_PERM;
+-    }
+-
+-    if ( !ArkSettings::extractOverwrite() )
+-    {
+-        result &= ARCHIVE_EXTRACT_NO_OVERWRITE;
+-    }*/
+-
+-    return result;
++    return ARCHIVE_EXTRACT_TIME
++           | ARCHIVE_EXTRACT_SECURE_NODOTDOT
++           | ARCHIVE_EXTRACT_SECURE_SYMLINKS;
+ }
+ 
+ void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress)