Bug 1880358 (CVE-2020-24654)

Summary: CVE-2020-24654 ark: crafted TAR archive with symlinks can install files outside the extraction directory
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jreznik, kde-sig, rdieter, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ark 20.08.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 17:48:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1880668    
Bug Blocks: 1880374    

Description Dhananjay Arunesh 2020-09-18 10:50:53 UTC 
In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.

References:
https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
https://kde.org/info/security/advisory-20200827-1.txt
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/
Comment 1 Todd Cullum 2020-09-18 22:33:13 UTC 
Flaw summary:

Using a symbolic link, it's possible for a malicious archive file to be crafted which allows for the extraction of files into other directories within the same scope. For example, a user who downloads an archive into ~/Downloads/ and subsequently uses ark to extract it, could end up extracting files into /tmp or their home directory. The severity of this flaw is very low because the biggest risk would be destruction of data in the case that e.g. there exists a file ~/some_important_info.txt and the flaw is used to trick a user into overwriting some_important_info.txt when the user believes they are extracting into a different directory. However, in this instance, ark-4.10.5, as shipped with Red Hat Enterprise Linux 7, prompts the user about whether they'd like to overwrite the file. Thus, it requires user interaction to actually perform any compromise of integrity.

This flaw could be used to drop random files on the user's file system in locations that they may not be aware of, but it would have to be combined with other vulnerabilities or security compromises in order for an attacker to do anything serious. The most likely way this could be harmful is if the user was ok with overwriting a file in their current directory, but not a file of the same name in another directory, and inadvertently accepted overwriting not knowing where it was being extracted to.

This is quite a stretch but possible.
Comment 2 Todd Cullum 2020-09-18 22:36:06 UTC 
Mitigation:

The way to mitigate this flaw is to pay attention to the contents of the archive in ark before extracting, to ensure that there are no improper symlinks, and heed the file overwrite warnings.