Bug 725764 (CVE-2011-2725) - CVE-2011-2725 kdeutils: Ark path traversal
Summary: CVE-2011-2725 kdeutils: Ark path traversal
Alias: CVE-2011-2725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 744215 746986 746987 747073 747074 747076
Blocks: 725766
TreeView+ depends on / blocked
Reported: 2011-07-26 13:45 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:57:54 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2011-07-26 13:45:42 UTC
A path traversal flaw was found in the way Ark, the tool for managing various archive formats within the KDE environment, processed certain Zip archives. A remote attacker could provide a specially-crafted Zip archive, which once opened in the Ark GUI frontend would lead to arbitrary file being opened or, potentially, if the local victim provided correct user credentials could allow that file to be removed.

[1] http://www.openwall.com/lists/oss-security/2011/07/25/9
[2] https://bugzilla.novell.com/show_bug.cgi?id=708268

Comment 2 Jan Lieskovsky 2011-10-07 13:43:47 UTC
Further issue details from Nth Dimension Security Advisory (NDSA20110726):

Hash: SHA256

Nth Dimension Security Advisory (NDSA20110726)
Date: 26th July 2011
Author: Tim Brown <timb.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Ark 2.16 <http://utils.kde.org/projects/ark>
Vendor: KDE <http://www.kde.org/>
Risk: Medium


The Ark archiving tool is vulnerable to directory traversal via malformed
Zip files.  When attempts are made to view files within the malformed Zip
file in Ark's default view, the wrong file may be displayed due to incorrect
construction of the temporary file name.  Whilst this does not allow the
wrong file to be overwritten, after closing the default view, Ark will then
attempt to delete the temporary file which could result in the deletion of
the incorrect file.

After discussions with the vendor, CVE-2011-2725 was assigned to this

Technical Details

Ark is vulnerable to directory traversal in the way it handles temporary
files for rendering when you click view.  An archive that has been
manipulated such that it contains files in nested folders with the name
../../../whatever will be opened in the default view as
/temporary/location/../../../whatever.  Moreover when the viewer is closed,
QFile::remove will be called on the incorrect location allowing an
arbitrary file to be removed.  This can be reproduced using the following

$ echo pwned > $HOME/pwned
$ ls -la $HOME/pwned
$ touch ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/$HOME/pwned
$ zip -r PoC.zip ZZ
$ cat PoC.zip | sed "s/ZZ/../g" > PoC-evil.zip
$ ark PoC-evil.zip

Open the resultant compressed pwned in Ark's default view and you will see
$HOME/pwned instead. To cause this file to be deleted, simply close the view.
This can be verified by checking the existance of the non-compressed pwned
under $HOME:

$ ls -la $HOME/pwned

This is due to:

void Part::slotPreviewExtracted(KJob *job)
    // FIXME: the error checking here isn't really working
    //        if there's an error or an overwrite dialog,
    //        the preview dialog will be launched anyway
    if (!job->error()) {
        const ArchiveEntry& entry =
        const QString fullName =
            m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName
        ArkViewer::view(fullName, widget());
    } else {
        KMessageBox::error(widget(), job->errorString());

in part.cpp which differs from:

void Part::slotPreview(const QModelIndex & index)
    if (!m_previewDir) {
        m_previewDir = new KTempDir();

    if (!isPreviewable(index)) {

    const ArchiveEntry& entry =  m_model->entryForIndex(index);

    if (!entry.isEmpty()) {
        Kerfuffle::ExtractionOptions options;
        optione[QLatin1String( "PreservePaths" )] = true;

        ExtractJob *job = m_model->extractFile(entry[ InternalID ],
m_previewDir->name(), options);
        connect(job, SIGNAL(result(KJob*)),
                this, SLOT(slotPreviewExtracted(KJob*)));

It appears that LibArchiveInterface::copyFiles truncates the root node
such that the leading ../../.. get dropped dring the call to the
extractFile method whereas view simply loads m_previewDir->name() +
QLatin1Char( '/' ) + entry[ FileName ].toString().


Nth Dimension recommends that the vendor supplied patches should be applied.


On 29th June 2011, Nth Dimension contacted the KDE security team to
report the described vulnerability.

On 1st July 2011, Jeff Mitchell of KDE confirmed that he had recieved
the report and it had been escalated to Laurent Montel, a KDE developer
working on Ark to determine the impact.  Laurent examined the Nth
Dimension supplied test case to understand the the full extent
of the problem.

On 25th July 2011, Jeff Mitchell contacted oss-security on behalf of
the KDE security team to request a CVE for this vulnerability which was
duely assigned.  Following the assigment of a CVE for this issue, Nth
Dimension and KDE liased to establish a date for final publication
of the advisory and

At this point Raphael Kubo da Costa of KDE took ownership of the issue.
Raphael and Nth Dimension exchanged a number of emails where various
proposed solutions were discussed before the final patch was agreed on
the 23rd September 2011.  At this point it was confirmed that a
coordinated disclosure would occur on the 3rd October 2011.


As of the 4th October 2011, the state of the vulnerabilities is
believed to be as follows.  A patch has been developed which it is
successfully mitigates the issue identified.  KDE packaging teams
have been notified and vendor specific patches should already be


Nth Dimension would like to thank Laurent, Jeff and Raphael of KDE for
the way they worked to resolve the issue.
Version: GnuPG v1.4.11 (GNU/Linux)



Posted at:
[3] http://seclists.org/fulldisclosure/2011/Oct/351

Comment 3 Jan Lieskovsky 2011-10-07 13:54:59 UTC
This issue affects the versions of the kdeutils package, as shipped with Fedora release of 14 and 15. Please schedule an update.

Comment 4 Jan Lieskovsky 2011-10-07 13:57:01 UTC
Created kdeutils tracking bugs for this issue

Affects: fedora-all [bug 744215]

Comment 5 Jan Lieskovsky 2011-10-07 14:28:05 UTC
This issue affects the version of the kdeutils package, as shipped with Red Hat Enterprise Linux 4.


This issue did NOT affect the versions of the kdeutils package, as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 11 Kevin Kofler 2011-10-07 16:16:59 UTC
> This issue affects the versions of the kdeutils package, as shipped with Fedora
> release of 14 and 15. Please schedule an update.

Grrr, that's what we get from not pushing the upgrade to 4.7.x to those releases.

I'm going to push a security update with a backported (to 4.6.5) patch.

Comment 12 Kevin Kofler 2011-10-07 16:43:00 UTC
Uhm, where's the patch for this issue? I can't find it in the upstream 4.7 branch either.

Comment 13 Ramon de C Valle 2011-10-17 10:11:29 UTC
The author of the patch said that he has not committed the fix upstream yet, but he will do ASAP and will let us know.

Comment 15 Ramon de C Valle 2011-10-18 13:39:27 UTC
(In reply to comment #5)
> This issue affects the version of the kdeutils package, as shipped with Red Hat
> Enterprise Linux 4.
> --
> This issue did NOT affect the versions of the kdeutils package, as shipped with
> Red Hat Enterprise Linux 5 and 6.

In fact, it seems that this issue did not affect the versions of kdeutils (3.3.1 and 3.5.4) as shipped with Red Hat Enterprise Linux 4 an 5, and affects the version of kdeutils (4.3.4) as shipped with Red Hat Enterprise Linux 6.

Comment 17 Ramon de C Valle 2011-10-18 17:52:29 UTC
After talking to Raphael, it seems that the versions of kdeutils (3.3.1 and 3.5.4) as shipped with Red Hat Enterprise Linux 4 and 5 are also affected, but in ArkWidget::showCurrentFile.

Note You need to log in before you can comment on or make changes to this bug.