1880358 – (CVE-2020-24654) CVE-2020-24654 ark: crafted TAR archive with symlinks can install files outside the extraction directory

Bug 1880358 (CVE-2020-24654) - CVE-2020-24654 ark: crafted TAR archive with symlinks can install files outside the extraction directory

Summary: CVE-2020-24654 ark: crafted TAR archive with symlinks can install files outsi...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-24654
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1880668
Blocks:	1880374
TreeView+	depends on / blocked

Reported:	2020-09-18 10:50 UTC by Dhananjay Arunesh
Modified:	2021-11-02 17:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ark 20.08.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-02 17:48:21 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2020-09-18 10:50:53 UTC

In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.

References:
https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
https://kde.org/info/security/advisory-20200827-1.txt
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LXMMXNJDYOCJRZTESIUGHG6CS4RJKECX/

Comment 1 Todd Cullum 2020-09-18 22:33:13 UTC

Flaw summary:

Using a symbolic link, it's possible for a malicious archive file to be crafted which allows for the extraction of files into other directories within the same scope. For example, a user who downloads an archive into ~/Downloads/ and subsequently uses ark to extract it, could end up extracting files into /tmp or their home directory. The severity of this flaw is very low because the biggest risk would be destruction of data in the case that e.g. there exists a file ~/some_important_info.txt and the flaw is used to trick a user into overwriting some_important_info.txt when the user believes they are extracting into a different directory. However, in this instance, ark-4.10.5, as shipped with Red Hat Enterprise Linux 7, prompts the user about whether they'd like to overwrite the file. Thus, it requires user interaction to actually perform any compromise of integrity.

This flaw could be used to drop random files on the user's file system in locations that they may not be aware of, but it would have to be combined with other vulnerabilities or security compromises in order for an attacker to do anything serious. The most likely way this could be harmful is if the user was ok with overwriting a file in their current directory, but not a file of the same name in another directory, and inadvertently accepted overwriting not knowing where it was being extracted to.

This is quite a stretch but possible.

Comment 2 Todd Cullum 2020-09-18 22:36:06 UTC

Mitigation:

The way to mitigate this flaw is to pay attention to the contents of the archive in ark before extracting, to ensure that there are no improper symlinks, and heed the file overwrite warnings.

Note You need to log in before you can comment on or make changes to this bug.