!24 fix CVE-2024-57966

From: @fundawang Reviewed-by: @peijiankang Signed-off-by: @peijiankang
2025-02-07 01:36:13 +00:00 · 2025-02-07 01:36:13 +00:00 · 96377cfff0
commit 96377cfff0
parent f20c146568 64343acfcc
2 changed files with 58 additions and 1 deletions
--- a/ark.spec
+++ b/ark.spec
@ -1,7 +1,7 @@
 Name:            ark
 Summary:         Archive manager
 Version:         23.08.4
-Release:         1
+Release:         3

 License:         GPLv2+
 URL:             https://www.kde.org/applications/utilities/ark/
@ -9,6 +9,7 @@ URL:             https://www.kde.org/applications/utilities/ark/
 %global stable %stable_kf5

 Source0:        http://download.kde.org/%{stable}/release-service/%{version}/src/%{name}-%{version}.tar.xz
+Patch6001:      backport-CVE-2024-57966.patch

 BuildRequires:  bzip2-devel
 BuildRequires:  desktop-file-utils
@ -105,6 +106,9 @@ desktop-file-validate %{buildroot}%{_kf5_datadir}/applications/org.kde.ark.deskt


 %changelog
+* Tue Feb 04 2025 Funda Wang <fundawang@yeah.net> - 23.08.4-3
+- fix CVE-2024-57966
+
 * Wed Jan 10 2024 jiangxinyu <jiangxinyu@kylinos.cn> - 23.08.4-1
 - Update package to version 23.08.4

--- a/backport-CVE-2024-57966.patch
+++ b/backport-CVE-2024-57966.patch
@ -0,0 +1,53 @@
+From fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Thu, 7 Nov 2024 14:47:26 +0100
+Subject: [PATCH] Treat absolute paths as relative paths during extraction
+
+Tell libarchive to use the path for extraction that Ark uses internally.
+In addition, set the ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS flag to avoid
+that absolute paths are used by accident.
+
+(cherry picked from commit cc9ea9e89c1c679d398809e94f1217b1f73c4b48)
+---
+ plugins/libarchive/libarchiveplugin.cpp      |  12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp
+index 8d489f58f..9b47bae8c 100644
+--- a/plugins/libarchive/libarchiveplugin.cpp
+++ b/plugins/libarchive/libarchiveplugin.cpp
+@@ -307,6 +307,11 @@
+             entryName.remove(0, 1);
+         }
+ 
+        // If this ends up empty (e.g. from // or ./), convert to ".".
+        if (entryName.isEmpty()) {
+            entryName = QStringLiteral(".");
+        }
+
+         // Should the entry be extracted?
+         if (extractAll ||
+             remainingFiles.contains(entryName) ||
+@@ -321,10 +326,12 @@
+                 continue;
+             }
+ 
+-            // entryFI is the fileinfo pointing to where the file will be
+            // Make sure libarchive uses the same path as we expect, based on transformations and renames,
+            qCDebug(ARK) << "setting path to " << entryName;
+            archive_entry_copy_pathname(entry, QFile::encodeName(entryName).constData());
+	    // entryFI is the fileinfo pointing to where the file will be
+             // written from the archive.
+             QFileInfo entryFI(entryName);
+-            //qCDebug(ARK) << "setting path to " << archive_entry_pathname( entry );
+ 
+             if (isSingleFile && fileBeingRenamed.isEmpty()) {
+                 // Rename extracted file from libarchive-internal "data" name to the archive uncompressed name.
+@@ -568,6 +575,7 @@
+ int LibarchivePlugin::extractionFlags() const
+ {
+     return ARCHIVE_EXTRACT_TIME
+           | ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
+            | ARCHIVE_EXTRACT_SECURE_NODOTDOT
+            | ARCHIVE_EXTRACT_SECURE_SYMLINKS;
+ }