A path traversal flaw was found in the way Ark, the tool for managing various archive formats within the KDE environment, processed certain Zip archives. A remote attacker could provide a specially-crafted Zip archive, which once opened in the Ark GUI frontend would lead to arbitrary file being opened or, potentially, if the local victim provided correct user credentials could allow that file to be removed. References: [1] http://www.openwall.com/lists/oss-security/2011/07/25/9 [2] https://bugzilla.novell.com/show_bug.cgi?id=708268
Further issue details from Nth Dimension Security Advisory (NDSA20110726): ========================================================================== -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nth Dimension Security Advisory (NDSA20110726) Date: 26th July 2011 Author: Tim Brown <timb.uk> URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> Product: Ark 2.16 <http://utils.kde.org/projects/ark> Vendor: KDE <http://www.kde.org/> Risk: Medium Summary The Ark archiving tool is vulnerable to directory traversal via malformed Zip files. When attempts are made to view files within the malformed Zip file in Ark's default view, the wrong file may be displayed due to incorrect construction of the temporary file name. Whilst this does not allow the wrong file to be overwritten, after closing the default view, Ark will then attempt to delete the temporary file which could result in the deletion of the incorrect file. After discussions with the vendor, CVE-2011-2725 was assigned to this vulnerability. Technical Details Ark is vulnerable to directory traversal in the way it handles temporary files for rendering when you click view. An archive that has been manipulated such that it contains files in nested folders with the name ../../../whatever will be opened in the default view as /temporary/location/../../../whatever. Moreover when the viewer is closed, QFile::remove will be called on the incorrect location allowing an arbitrary file to be removed. This can be reproduced using the following steps: $ echo pwned > $HOME/pwned $ ls -la $HOME/pwned $ mkdir -p ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/$HOME $ touch ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/ZZ/$HOME/pwned $ zip -r PoC.zip ZZ $ cat PoC.zip | sed "s/ZZ/../g" > PoC-evil.zip $ ark PoC-evil.zip Open the resultant compressed pwned in Ark's default view and you will see $HOME/pwned instead. To cause this file to be deleted, simply close the view. This can be verified by checking the existance of the non-compressed pwned under $HOME: $ ls -la $HOME/pwned This is due to: void Part::slotPreviewExtracted(KJob *job) { // FIXME: the error checking here isn't really working // if there's an error or an overwrite dialog, // the preview dialog will be launched anyway if (!job->error()) { const ArchiveEntry& entry = m_model->entryForIndex(m_view->selectionModel()->currentIndex()); const QString fullName = m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName ].toString(); ArkViewer::view(fullName, widget()); } else { KMessageBox::error(widget(), job->errorString()); } setReadyGui(); } in part.cpp which differs from: void Part::slotPreview(const QModelIndex & index) { if (!m_previewDir) { m_previewDir = new KTempDir(); } if (!isPreviewable(index)) { return; } const ArchiveEntry& entry = m_model->entryForIndex(index); if (!entry.isEmpty()) { Kerfuffle::ExtractionOptions options; optione[QLatin1String( "PreservePaths" )] = true; ExtractJob *job = m_model->extractFile(entry[ InternalID ], m_previewDir->name(), options); registerJob(job); connect(job, SIGNAL(result(KJob*)), this, SLOT(slotPreviewExtracted(KJob*))); job->start(); } } It appears that LibArchiveInterface::copyFiles truncates the root node such that the leading ../../.. get dropped dring the call to the extractFile method whereas view simply loads m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName ].toString(). Solutions Nth Dimension recommends that the vendor supplied patches should be applied. History On 29th June 2011, Nth Dimension contacted the KDE security team to report the described vulnerability. On 1st July 2011, Jeff Mitchell of KDE confirmed that he had recieved the report and it had been escalated to Laurent Montel, a KDE developer working on Ark to determine the impact. Laurent examined the Nth Dimension supplied test case to understand the the full extent of the problem. On 25th July 2011, Jeff Mitchell contacted oss-security on behalf of the KDE security team to request a CVE for this vulnerability which was duely assigned. Following the assigment of a CVE for this issue, Nth Dimension and KDE liased to establish a date for final publication of the advisory and patches. At this point Raphael Kubo da Costa of KDE took ownership of the issue. Raphael and Nth Dimension exchanged a number of emails where various proposed solutions were discussed before the final patch was agreed on the 23rd September 2011. At this point it was confirmed that a coordinated disclosure would occur on the 3rd October 2011. Current As of the 4th October 2011, the state of the vulnerabilities is believed to be as follows. A patch has been developed which it is successfully mitigates the issue identified. KDE packaging teams have been notified and vendor specific patches should already be available. Thanks Nth Dimension would like to thank Laurent, Jeff and Raphael of KDE for the way they worked to resolve the issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJOjpvAAAoJEPJhpTVyySo7d1QP/AkR71/A+PndCvNRuCiAtJN8 kTCOoPqcTRgpPCvllAME52OJYBfJJhtLBYF4uNZgbkvoqZhAD4BdG0Wpdr9QmwBK olg7l2T8SAzbJBFjpuomon9Fug/LePcLCApLDCmDTcMYCEOBoeXnYm/+coIxjgFZ aTARpYtuccSVA93LpuHZ7T7cPNKqWvD2myReqO7OrFe7FcOAOWvLeHIUppaW4z3S V6Tqzc0XQs8Qy8ksyINuFlZVs+wP62sry9NToeqxbO7IU3+4S2uGEB5la/bxrb2j hSZwnHmKI30A9hkDNR4jxQO7BP4wXQ0lfSd2iS2sLTJr7hW8kT8qcLjcmydeodON m5wbZDmU25JtoSPwI2Ei88KqjicGH2NKXcKgXd3S/vi/6himYtnKQ7slsgp6t+KO oNpwvafl2R70LHQB61JzVSEYEuFR3e4YHjtaHdkXDIBrZyDKQn5f3kABoNHu66c1 1kdCEqf/tw7s2vYbxNPIbkc5iep50SQlQDwB4mRy7/1h9fcRbQXGflN4ER8qw6W0 EW97drXfAmPXimE41M5N4yJOwreaPo/rOaroLaMwfL1sYLOMRvIIzvlbQLv4xdNj phqHoSkxfIFdc7A/ZPb/MMy6n7UOXwyszudF/66sKwxjmyLUGPA34D6hjmAh3KHj H0DDYuL7M6xqQ9fCH6m/ =dNAb -----END PGP SIGNATURE----- ========================================================================== Posted at: [3] http://seclists.org/fulldisclosure/2011/Oct/351
This issue affects the versions of the kdeutils package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Created kdeutils tracking bugs for this issue Affects: fedora-all [bug 744215]
This issue affects the version of the kdeutils package, as shipped with Red Hat Enterprise Linux 4. -- This issue did NOT affect the versions of the kdeutils package, as shipped with Red Hat Enterprise Linux 5 and 6.
> This issue affects the versions of the kdeutils package, as shipped with Fedora > release of 14 and 15. Please schedule an update. Grrr, that's what we get from not pushing the upgrade to 4.7.x to those releases. I'm going to push a security update with a backported (to 4.6.5) patch.
Uhm, where's the patch for this issue? I can't find it in the upstream 4.7 branch either.
The author of the patch said that he has not committed the fix upstream yet, but he will do ASAP and will let us know.
The author has commited the fixes upstream: http://commits.kde.org/ark/ccb5448eb2aedd150313ea0af431a9b754176975 http://commits.kde.org/ark/e88d2277a2ffa702b1f6f95ffd585fb0b2ec6210 http://commits.kde.org/ark/6f6c0b18b3569ae2b5b6f65dc7ea626a8b7c03c0 http://commits.kde.org/ark/7cf00339ff1b7764fd6b603d796b51cee5d8503c http://websvn.kde.org/?view=revision&revision=1259333 http://websvn.kde.org/?view=revision&revision=1259334
(In reply to comment #5) > This issue affects the version of the kdeutils package, as shipped with Red Hat > Enterprise Linux 4. > > -- > > This issue did NOT affect the versions of the kdeutils package, as shipped with > Red Hat Enterprise Linux 5 and 6. In fact, it seems that this issue did not affect the versions of kdeutils (3.3.1 and 3.5.4) as shipped with Red Hat Enterprise Linux 4 an 5, and affects the version of kdeutils (4.3.4) as shipped with Red Hat Enterprise Linux 6.
After talking to Raphael, it seems that the versions of kdeutils (3.3.1 and 3.5.4) as shipped with Red Hat Enterprise Linux 4 and 5 are also affected, but in ArkWidget::showCurrentFile.