In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory. References: https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd https://kde.org/info/security/advisory-20200827-1.txt https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/
Flaw summary: Using a symbolic link, it's possible for a malicious archive file to be crafted which allows for the extraction of files into other directories within the same scope. For example, a user who downloads an archive into ~/Downloads/ and subsequently uses ark to extract it, could end up extracting files into /tmp or their home directory. The severity of this flaw is very low because the biggest risk would be destruction of data in the case that e.g. there exists a file ~/some_important_info.txt and the flaw is used to trick a user into overwriting some_important_info.txt when the user believes they are extracting into a different directory. However, in this instance, ark-4.10.5, as shipped with Red Hat Enterprise Linux 7, prompts the user about whether they'd like to overwrite the file. Thus, it requires user interaction to actually perform any compromise of integrity. This flaw could be used to drop random files on the user's file system in locations that they may not be aware of, but it would have to be combined with other vulnerabilities or security compromises in order for an attacker to do anything serious. The most likely way this could be harmful is if the user was ok with overwriting a file in their current directory, but not a file of the same name in another directory, and inadvertently accepted overwriting not knowing where it was being extracted to. This is quite a stretch but possible.
Mitigation: The way to mitigate this flaw is to pay attention to the contents of the archive in ark before extracting, to ensure that there are no improper symlinks, and heed the file overwrite warnings.