!24 fix CVE-2024-57966

From: @fundawang 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang

ark.spec

@@ -1,17 +1,15 @@
 Name:            ark
 Summary:         Archive manager
-Version:         22.04.2
-Release:         1
+Version:         23.08.4
+Release:         3
 
 License:         GPLv2+
 URL:             https://www.kde.org/applications/utilities/ark/
-%global revision %(echo %{version} | cut -d. -f3)
-%if %{revision} >= 50
-%global stable unstable
-%else
-%global stable stable
-%endif
+%global majmin %majmin_ver_kf5
+%global stable %stable_kf5
+
 Source0:        http://download.kde.org/%{stable}/release-service/%{version}/src/%{name}-%{version}.tar.xz
+Patch6001:      backport-CVE-2024-57966.patch
 
 BuildRequires:  bzip2-devel
 BuildRequires:  desktop-file-utils
@@ -43,7 +41,7 @@ Conflicts:      kdeutils-common < 6:4.7.80
 Conflicts:      kde-l10n < 17.03
 Obsoletes:      kdeutils-ark < 6:4.7.80
 Provides:       kdeutils-ark = 6:%{version}-%{release}
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:       %{name}-libs = %{version}-%{release}
 Requires:       bzip2
 Requires:       gzip
 Requires:       unzip
@@ -61,7 +59,6 @@ Requires:       %{name} = %{version}-%{release}
 Obsoletes:      kdeutils-ark-libs < 6:4.7.80
 Provides:       kdeutils-ark-libs = 6:%{version}-%{release}
 Provides:       ark-part = %{version}-%{release}
-Provides:       ark-part%{?_isa} = %{version}-%{release}
 %description libs
 %{summary}.
 
@@ -86,6 +83,7 @@ desktop-file-validate %{buildroot}%{_kf5_datadir}/applications/org.kde.ark.deskt
 
 %files -f %{name}.lang
 %license COPYING*
+%{_sysconfdir}/xdg/arkrc
 %{_kf5_datadir}/qlogging-categories5/%{name}*
 %{_kf5_bindir}/ark
 %{_kf5_datadir}/config.kcfg/ark.kcfg
@@ -93,19 +91,36 @@ desktop-file-validate %{buildroot}%{_kf5_datadir}/applications/org.kde.ark.deskt
 %{_kf5_datadir}/applications/org.kde.ark.desktop
 %{_kf5_datadir}/icons/hicolor/*/apps/ark.*
 %{_mandir}/man1/ark.1*
+%{_kf5_datadir}/kconf_update/ark.upd
+%{_kf5_datadir}/kconf_update/ark_add_hamburgermenu_to_toolbar.sh
+%{_kf5_datadir}/kservices5/ark_part.desktop
 %ldconfig_scriptlets
 
 %files libs
 %{_kf5_libdir}/libkerfuffle.so.*
 %{_kf5_plugindir}/parts/arkpart.so
-%{_kf5_datadir}/kservices5/ark_part.desktop
 %{_kf5_qtplugindir}/kerfuffle/
 %{_kf5_plugindir}/kio_dnd/extracthere.so
 %{_kf5_plugindir}/kfileitemaction/compressfileitemaction.so
 %{_kf5_plugindir}/kfileitemaction/extractfileitemaction.so
-%{_kf5_datadir}/kservicetypes5/kerfufflePlugin.desktop
+
 
 %changelog
+* Tue Feb 04 2025 Funda Wang <fundawang@yeah.net> - 23.08.4-3
+- fix CVE-2024-57966
+
+* Wed Jan 10 2024 jiangxinyu <jiangxinyu@kylinos.cn> - 23.08.4-1
+- Update package to version 23.08.4
+
+* Fri Aug 04 2023 yajun<yajun@kylinos.cn> - 23.04.3-1
+- update to upstream version 23.04.3
+
+* Fri May 12 2023 peijiankang<peijiankang@kylinos.cn> - 22.12.0-1
+- update to upstream version 22.12.0
+
+* Thu Dec 15 2022 tanyulong<tanyulong@kylinos.cn> - 22.08.3-1
+- update to upstream version 22.08.3
+
 * Tue Jul 5 2022 peijiankang<peijiankang@kylinos.cn> - 22.04.2-1
 - update to upstream version 22.04.2
 

backport-CVE-2024-57966.patch

@@ -0,0 +1,53 @@
+From fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Thu, 7 Nov 2024 14:47:26 +0100
+Subject: [PATCH] Treat absolute paths as relative paths during extraction
+
+Tell libarchive to use the path for extraction that Ark uses internally.
+In addition, set the ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS flag to avoid
+that absolute paths are used by accident.
+
+(cherry picked from commit cc9ea9e89c1c679d398809e94f1217b1f73c4b48)
+---
+ plugins/libarchive/libarchiveplugin.cpp      |  12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp
+index 8d489f58f..9b47bae8c 100644
+--- a/plugins/libarchive/libarchiveplugin.cpp
++++ b/plugins/libarchive/libarchiveplugin.cpp
+@@ -307,6 +307,11 @@
+             entryName.remove(0, 1);
+         }
+ 
++        // If this ends up empty (e.g. from // or ./), convert to ".".
++        if (entryName.isEmpty()) {
++            entryName = QStringLiteral(".");
++        }
++
+         // Should the entry be extracted?
+         if (extractAll ||
+             remainingFiles.contains(entryName) ||
+@@ -321,10 +326,12 @@
+                 continue;
+             }
+ 
+-            // entryFI is the fileinfo pointing to where the file will be
++            // Make sure libarchive uses the same path as we expect, based on transformations and renames,
++            qCDebug(ARK) << "setting path to " << entryName;
++            archive_entry_copy_pathname(entry, QFile::encodeName(entryName).constData());
++	    // entryFI is the fileinfo pointing to where the file will be
+             // written from the archive.
+             QFileInfo entryFI(entryName);
+-            //qCDebug(ARK) << "setting path to " << archive_entry_pathname( entry );
+ 
+             if (isSingleFile && fileBeingRenamed.isEmpty()) {
+                 // Rename extracted file from libarchive-internal "data" name to the archive uncompressed name.
+@@ -568,6 +575,7 @@
+ int LibarchivePlugin::extractionFlags() const
+ {
+     return ARCHIVE_EXTRACT_TIME
++           | ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
+            | ARCHIVE_EXTRACT_SECURE_NODOTDOT
+            | ARCHIVE_EXTRACT_SECURE_SYMLINKS;
+ }