From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0439813835B for ; Wed, 25 Nov 2020 18:13:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4D932E08F7; Wed, 25 Nov 2020 18:13:19 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 01330E08F7 for ; Wed, 25 Nov 2020 18:13:18 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id CAFE6341220 for ; Wed, 25 Nov 2020 18:13:17 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1695746F for ; Wed, 25 Nov 2020 18:13:15 +0000 (UTC) From: "Andreas Sturmlechner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Andreas Sturmlechner" Message-ID: <1606327528.d0c9398bc5cdd3a9f94fe8848243d6a01c7d202e.asturm@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: kde-apps/ark/, kde-apps/ark/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: kde-apps/ark/Manifest kde-apps/ark/ark-20.04.3-r2.ebuild kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch X-VCS-Directories: kde-apps/ark/files/ kde-apps/ark/ X-VCS-Committer: asturm X-VCS-Committer-Name: Andreas Sturmlechner X-VCS-Revision: d0c9398bc5cdd3a9f94fe8848243d6a01c7d202e X-VCS-Branch: master Date: Wed, 25 Nov 2020 18:13:15 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 891fc629-ff74-49e0-8b87-e9758208e2a6 X-Archives-Hash: 3a137effa0699d372d5cbe37192d6943 commit: d0c9398bc5cdd3a9f94fe8848243d6a01c7d202e Author: Andreas Sturmlechner gentoo org> AuthorDate: Wed Nov 25 17:50:58 2020 +0000 Commit: Andreas Sturmlechner gentoo org> CommitDate: Wed Nov 25 18:05:28 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0c9398b kde-apps/ark: drop 20.04.3* Signed-off-by: Andreas Sturmlechner gentoo.org> kde-apps/ark/Manifest | 1 - kde-apps/ark/ark-20.04.3-r2.ebuild | 83 ---------------------- .../ark/files/ark-20.04.3-CVE-2020-16116.patch | 46 ------------ .../ark/files/ark-20.04.3-CVE-2020-24654.patch | 53 -------------- 4 files changed, 183 deletions(-) diff --git a/kde-apps/ark/Manifest b/kde-apps/ark/Manifest index 516e40a4e1f..1946a0daada 100644 --- a/kde-apps/ark/Manifest +++ b/kde-apps/ark/Manifest @@ -1,2 +1 @@ -DIST ark-20.04.3.tar.xz 2586436 BLAKE2B 98343a4bc91fd13a33ba9dd69487c27433435d4bff722245c2cde02191017f4fa0b2d15213b97a86c3ecd87a17bf59e62a80b63c6684c813845bec9bab58f441 SHA512 6274483bc7cad9b8b3842a622a3f243fd5756aec147624eb9041459efd5c833e203c286412185bb105133d8c83a7503c8c7e519b8cb9cbd13830793c3429e142 DIST ark-20.08.3.tar.xz 2711708 BLAKE2B c486320f113ab3d12b67aec7589e7973a022415da5dbe01754a9e454c74bb59d2b6556c6934aafd7b5c0ee685e2eca7feee276ad3ebb8a0c6f57aea5bc666a0f SHA512 41ab1498b77f9d152f900eba9e784e8ed28127c849796e42c18db5beb963b0c8f2a1ef1c408d37db02fb21577e5d8e08d8561b72b14042e079a5f1baffa01a01 diff --git a/kde-apps/ark/ark-20.04.3-r2.ebuild b/kde-apps/ark/ark-20.04.3-r2.ebuild deleted file mode 100644 index 9c906db1341..00000000000 --- a/kde-apps/ark/ark-20.04.3-r2.ebuild +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -ECM_HANDBOOK="forceoptional" -ECM_TEST="optional" -KFMIN=5.70.0 -QTMIN=5.14.2 -VIRTUALX_REQUIRED="test" -inherit ecm kde.org optfeature - -DESCRIPTION="File archiver by KDE" -HOMEPAGE="https://apps.kde.org/en/ark https://utils.kde.org/projects/ark/" - -LICENSE="GPL-2" # TODO: CHECK -SLOT="5" -KEYWORDS="amd64 arm64 ~ppc64 x86" -IUSE="zip" - -BDEPEND=" - sys-devel/gettext -" -RDEPEND=" - app-arch/libarchive:=[bzip2,lzma,zlib] - >=dev-qt/qtdbus-${QTMIN}:5 - >=dev-qt/qtgui-${QTMIN}:5 - >=dev-qt/qtwidgets-${QTMIN}:5 - >=kde-frameworks/karchive-${KFMIN}:5 - >=kde-frameworks/kcompletion-${KFMIN}:5 - >=kde-frameworks/kconfig-${KFMIN}:5 - >=kde-frameworks/kconfigwidgets-${KFMIN}:5 - >=kde-frameworks/kcoreaddons-${KFMIN}:5 - >=kde-frameworks/kcrash-${KFMIN}:5 - >=kde-frameworks/kdbusaddons-${KFMIN}:5 - >=kde-frameworks/ki18n-${KFMIN}:5 - >=kde-frameworks/kio-${KFMIN}:5 - >=kde-frameworks/kitemmodels-${KFMIN}:5 - >=kde-frameworks/kjobwidgets-${KFMIN}:5 - >=kde-frameworks/kparts-${KFMIN}:5 - >=kde-frameworks/kpty-${KFMIN}:5 - >=kde-frameworks/kservice-${KFMIN}:5 - >=kde-frameworks/kwidgetsaddons-${KFMIN}:5 - >=kde-frameworks/kxmlgui-${KFMIN}:5 - sys-libs/zlib - zip? ( >=dev-libs/libzip-1.2.0:= ) -" -DEPEND="${RDEPEND} - >=dev-qt/qtconcurrent-${QTMIN}:5 -" - -PATCHES=( - "${FILESDIR}/${P}-CVE-2020-16116.patch" - "${FILESDIR}/${P}-CVE-2020-24654.patch" -) - -src_configure() { - local mycmakeargs=( - $(cmake_use_find_package zip LibZip) - ) - - ecm_src_configure -} - -src_test() { - local myctestargs=( - -E "(plugins-clirartest)" - ) - - ecm_src_test -} - -pkg_postinst() { - if [[ -z "${REPLACING_VERSIONS}" ]]; then - elog "Optional dependencies:" - optfeature "rar archive creation/extraction" app-arch/rar - optfeature "rar archive extraction only" app-arch/unar app-arch/unrar - optfeature "7-Zip archive support" app-arch/p7zip - optfeature "lrz archive support" app-arch/lrzip - optfeature "markdown support in text previews" kde-misc/markdownpart:${SLOT} kde-misc/kmarkdownwebview:${SLOT} - fi - ecm_pkg_postinst -} diff --git a/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch b/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch deleted file mode 100644 index 79129c7be6e..00000000000 --- a/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001 -From: Elvis Angelaccio -Date: Wed, 29 Jul 2020 23:45:30 +0200 -Subject: [PATCH] Fix vulnerability to path traversal attacks - -Ark was vulnerable to directory traversal attacks because of -missing validation of file paths in the archive. - -More details about this attack are available at: -https://github.com/snyk/zip-slip-vulnerability - -Job::onEntry() is the only place where we can safely check the path of -every entry in the archive. There shouldn't be a valid reason -to have a "../" in an archive path, so we can just play safe and abort -the LoadJob if we detect such an entry. This makes impossibile to -extract this kind of malicious archives and perform the attack. - -Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath() -so that we can still allow loading of legitimate archives that -contain "../" in their paths but still resolve inside the extraction folder. ---- - kerfuffle/jobs.cpp | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp -index fdaa48695..f73b56f86 100644 ---- a/kerfuffle/jobs.cpp -+++ b/kerfuffle/jobs.cpp -@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details) - - void Job::onEntry(Archive::Entry *entry) - { -+ const QString entryFullPath = entry->fullPath(); -+ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) { -+ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath; -+ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString()); -+ onFinished(false); -+ return; -+ } -+ - emit newEntry(entry); - } - --- -GitLab - diff --git a/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch b/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch deleted file mode 100644 index 8b3821893ef..00000000000 --- a/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001 -From: Fabian Vogt -Date: Tue, 25 Aug 2020 22:14:37 +0200 -Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive - -There are archive types which allow to first create a symlink and then -later on dereference it. If the symlink points outside of the archive, -this results in writing outside of the destination directory. - -With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids -this situation by verifying that none of the target path components are -symlinks before writing. - -Remove the commented out code in the method, which would actually -misbehave if enabled again. - -Signed-off-by: Fabian Vogt ---- - plugins/libarchive/libarchiveplugin.cpp | 18 +++--------------- - 1 file changed, 3 insertions(+), 15 deletions(-) - -diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp -index 50e81da1..8a0fed21 100644 ---- a/plugins/libarchive/libarchiveplugin.cpp -+++ b/plugins/libarchive/libarchiveplugin.cpp -@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry) - - int LibarchivePlugin::extractionFlags() const - { -- int result = ARCHIVE_EXTRACT_TIME; -- result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; -- -- // TODO: Don't use arksettings here -- /*if ( ArkSettings::preservePerms() ) -- { -- result &= ARCHIVE_EXTRACT_PERM; -- } -- -- if ( !ArkSettings::extractOverwrite() ) -- { -- result &= ARCHIVE_EXTRACT_NO_OVERWRITE; -- }*/ -- -- return result; -+ return ARCHIVE_EXTRACT_TIME -+ | ARCHIVE_EXTRACT_SECURE_NODOTDOT -+ | ARCHIVE_EXTRACT_SECURE_SYMLINKS; - } - - void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress) --- -GitLab -