A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction.
Created ark tracking bugs for this issue:
Affects: epel-8 [bug 1862466]
Affects: fedora-all [bug 1862465]
it's fixed in ark-20.04.3-3
FEDORA-2020-cac5ae9b6e has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
ark as shipped with Red Hat Enterprise Linux 7 prompts the user before allowing extraction into home directory, and also displays an error. Because the user must agree to perform the extraction in the home directory, Red Hat Product Security does not view this as a security vulnerability in ark as shipped with Red Hat Enterprise Linux 7.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):