[gentoo-commits] repo/gentoo:master commit in: kde-apps/ark/files/, kde-apps/ark/ - gentoo-commits

From:	Andreas Sturmlechner <asturm@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: kde-apps/ark/files/, kde-apps/ark/
Date:	Mon, 28 Sep 2020 21:33:31
Message-Id:	`1601328502.f25fa2d93956341a938c84f2da5057b8fe2e259c.asturm@gentoo`

1

commit:     f25fa2d93956341a938c84f2da5057b8fe2e259c

2

Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>

3

AuthorDate: Mon Sep 28 18:40:24 2020 +0000

4

Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>

5

CommitDate: Mon Sep 28 21:28:22 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25fa2d9

7

8

kde-apps/ark: Fix CVE-2020-24654

9

10

Bug: https://bugs.gentoo.org/743959

11

Package-Manager: Portage-3.0.8, Repoman-3.0.1

12

Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>

13

14

 kde-apps/ark/ark-20.04.3-r2.ebuild                 | 84 ++++++++++++++++++++++

15

 .../ark/files/ark-20.04.3-CVE-2020-24654.patch     | 53 ++++++++++++++

16

 2 files changed, 137 insertions(+)

17

18

diff --git a/kde-apps/ark/ark-20.04.3-r2.ebuild b/kde-apps/ark/ark-20.04.3-r2.ebuild

19

new file mode 100644

20

index 00000000000..d77562b55a7

21

--- /dev/null

22

+++ b/kde-apps/ark/ark-20.04.3-r2.ebuild

23

@@ -0,0 +1,84 @@

24

+# Copyright 1999-2020 Gentoo Authors

25

+# Distributed under the terms of the GNU General Public License v2

26

+

27

+EAPI=7

28

+

29

+ECM_HANDBOOK="forceoptional"

30

+ECM_TEST="optional"

31

+KFMIN=5.70.0

32

+QTMIN=5.14.2

33

+VIRTUALX_REQUIRED="test"

34

+inherit ecm kde.org optfeature

35

+

36

+DESCRIPTION="File archiver by KDE"

37

+HOMEPAGE="https://kde.org/applications/en/ark

38

+https://utils.kde.org/projects/ark/"

39

+

40

+LICENSE="GPL-2" # TODO: CHECK

41

+SLOT="5"

42

+KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"

43

+IUSE="zip"

44

+

45

+BDEPEND="

46

+	sys-devel/gettext

47

+"

48

+RDEPEND="

49

+	app-arch/libarchive:=[bzip2,lzma,zlib]

50

+	>=dev-qt/qtdbus-${QTMIN}:5

51

+	>=dev-qt/qtgui-${QTMIN}:5

52

+	>=dev-qt/qtwidgets-${QTMIN}:5

53

+	>=kde-frameworks/karchive-${KFMIN}:5

54

+	>=kde-frameworks/kcompletion-${KFMIN}:5

55

+	>=kde-frameworks/kconfig-${KFMIN}:5

56

+	>=kde-frameworks/kconfigwidgets-${KFMIN}:5

57

+	>=kde-frameworks/kcoreaddons-${KFMIN}:5

58

+	>=kde-frameworks/kcrash-${KFMIN}:5

59

+	>=kde-frameworks/kdbusaddons-${KFMIN}:5

60

+	>=kde-frameworks/ki18n-${KFMIN}:5

61

+	>=kde-frameworks/kio-${KFMIN}:5

62

+	>=kde-frameworks/kitemmodels-${KFMIN}:5

63

+	>=kde-frameworks/kjobwidgets-${KFMIN}:5

64

+	>=kde-frameworks/kparts-${KFMIN}:5

65

+	>=kde-frameworks/kpty-${KFMIN}:5

66

+	>=kde-frameworks/kservice-${KFMIN}:5

67

+	>=kde-frameworks/kwidgetsaddons-${KFMIN}:5

68

+	>=kde-frameworks/kxmlgui-${KFMIN}:5

69

+	sys-libs/zlib

70

+	zip? ( >=dev-libs/libzip-1.2.0:= )

71

+"

72

+DEPEND="${RDEPEND}

73

+	>=dev-qt/qtconcurrent-${QTMIN}:5

74

+"

75

+

76

+PATCHES=(

77

+	"${FILESDIR}/${P}-CVE-2020-16116.patch"

78

+	"${FILESDIR}/${P}-CVE-2020-24654.patch"

79

+)

80

+

81

+src_configure() {

82

+	local mycmakeargs=(

83

+		$(cmake_use_find_package zip LibZip)

84

+	)

85

+

86

+	ecm_src_configure

87

+}

88

+

89

+src_test() {

90

+	local myctestargs=(

91

+		-E "(plugins-clirartest)"

92

+	)

93

+

94

+	ecm_src_test

95

+}

96

+

97

+pkg_postinst() {

98

+	if [[ -z "${REPLACING_VERSIONS}" ]]; then

99

+		elog "Optional dependencies:"

100

+		optfeature "rar archive creation/extraction" app-arch/rar

101

+		optfeature "rar archive extraction only" app-arch/unar app-arch/unrar

102

+		optfeature "7-Zip archive support" app-arch/p7zip

103

+		optfeature "lrz archive support" app-arch/lrzip

104

+		optfeature "markdown support in text previews" kde-misc/markdownpart:${SLOT} kde-misc/kmarkdownwebview:${SLOT}

105

+	fi

106

+	ecm_pkg_postinst

107

+}

108

109

diff --git a/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch b/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch

110

new file mode 100644

111

index 00000000000..8b3821893ef

112

--- /dev/null

113

+++ b/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch

114

@@ -0,0 +1,53 @@

115

+From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001

116

+From: Fabian Vogt <fabian@×××××××××××.de>

117

+Date: Tue, 25 Aug 2020 22:14:37 +0200

118

+Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive

119

+

120

+There are archive types which allow to first create a symlink and then

121

+later on dereference it. If the symlink points outside of the archive,

122

+this results in writing outside of the destination directory.

123

+

124

+With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids

125

+this situation by verifying that none of the target path components are

126

+symlinks before writing.

127

+

128

+Remove the commented out code in the method, which would actually

129

+misbehave if enabled again.

130

+

131

+Signed-off-by: Fabian Vogt <fabian@×××××××××××.de>

132

+---

133

+ plugins/libarchive/libarchiveplugin.cpp | 18 +++---------------

134

+ 1 file changed, 3 insertions(+), 15 deletions(-)

135

+

136

+diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp

137

+index 50e81da1..8a0fed21 100644

138

+--- a/plugins/libarchive/libarchiveplugin.cpp

139

++++ b/plugins/libarchive/libarchiveplugin.cpp

140

+@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry)

141

+

142

+ int LibarchivePlugin::extractionFlags() const

143

+ {

144

+-    int result = ARCHIVE_EXTRACT_TIME;

145

+-    result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;

146

+-

147

+-    // TODO: Don't use arksettings here

148

+-    /*if ( ArkSettings::preservePerms() )

149

+-    {

150

+-        result &= ARCHIVE_EXTRACT_PERM;

151

+-    }

152

+-

153

+-    if ( !ArkSettings::extractOverwrite() )

154

+-    {

155

+-        result &= ARCHIVE_EXTRACT_NO_OVERWRITE;

156

+-    }*/

157

+-

158

+-    return result;

159

++    return ARCHIVE_EXTRACT_TIME

160

++           | ARCHIVE_EXTRACT_SECURE_NODOTDOT

161

++           | ARCHIVE_EXTRACT_SECURE_SYMLINKS;

162

+ }

163

+

164

+ void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress)

165

+--

166

+GitLab

167

+

1	commit: f25fa2d93956341a938c84f2da5057b8fe2e259c
2	Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
3	AuthorDate: Mon Sep 28 18:40:24 2020 +0000
4	Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
5	CommitDate: Mon Sep 28 21:28:22 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25fa2d9
7
8	kde-apps/ark: Fix CVE-2020-24654
9
10	Bug: https://bugs.gentoo.org/743959
11	Package-Manager: Portage-3.0.8, Repoman-3.0.1
12	Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>
13
14	kde-apps/ark/ark-20.04.3-r2.ebuild \| 84 ++++++++++++++++++++++
15	.../ark/files/ark-20.04.3-CVE-2020-24654.patch \| 53 ++++++++++++++
16	2 files changed, 137 insertions(+)
17
18	diff --git a/kde-apps/ark/ark-20.04.3-r2.ebuild b/kde-apps/ark/ark-20.04.3-r2.ebuild
19	new file mode 100644
20	index 00000000000..d77562b55a7
21	--- /dev/null
22	+++ b/kde-apps/ark/ark-20.04.3-r2.ebuild
23	@@ -0,0 +1,84 @@
24	+# Copyright 1999-2020 Gentoo Authors
25	+# Distributed under the terms of the GNU General Public License v2
26	+
27	+EAPI=7
28	+
29	+ECM_HANDBOOK="forceoptional"
30	+ECM_TEST="optional"
31	+KFMIN=5.70.0
32	+QTMIN=5.14.2
33	+VIRTUALX_REQUIRED="test"
34	+inherit ecm kde.org optfeature
35	+
36	+DESCRIPTION="File archiver by KDE"
37	+HOMEPAGE="https://kde.org/applications/en/ark
38	+https://utils.kde.org/projects/ark/"
39	+
40	+LICENSE="GPL-2" # TODO: CHECK
41	+SLOT="5"
42	+KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"
43	+IUSE="zip"
44	+
45	+BDEPEND="
46	+ sys-devel/gettext
47	+"
48	+RDEPEND="
49	+ app-arch/libarchive:=[bzip2,lzma,zlib]
50	+ >=dev-qt/qtdbus-${QTMIN}:5
51	+ >=dev-qt/qtgui-${QTMIN}:5
52	+ >=dev-qt/qtwidgets-${QTMIN}:5
53	+ >=kde-frameworks/karchive-${KFMIN}:5
54	+ >=kde-frameworks/kcompletion-${KFMIN}:5
55	+ >=kde-frameworks/kconfig-${KFMIN}:5
56	+ >=kde-frameworks/kconfigwidgets-${KFMIN}:5
57	+ >=kde-frameworks/kcoreaddons-${KFMIN}:5
58	+ >=kde-frameworks/kcrash-${KFMIN}:5
59	+ >=kde-frameworks/kdbusaddons-${KFMIN}:5
60	+ >=kde-frameworks/ki18n-${KFMIN}:5
61	+ >=kde-frameworks/kio-${KFMIN}:5
62	+ >=kde-frameworks/kitemmodels-${KFMIN}:5
63	+ >=kde-frameworks/kjobwidgets-${KFMIN}:5
64	+ >=kde-frameworks/kparts-${KFMIN}:5
65	+ >=kde-frameworks/kpty-${KFMIN}:5
66	+ >=kde-frameworks/kservice-${KFMIN}:5
67	+ >=kde-frameworks/kwidgetsaddons-${KFMIN}:5
68	+ >=kde-frameworks/kxmlgui-${KFMIN}:5
69	+ sys-libs/zlib
70	+ zip? ( >=dev-libs/libzip-1.2.0:= )
71	+"
72	+DEPEND="${RDEPEND}
73	+ >=dev-qt/qtconcurrent-${QTMIN}:5
74	+"
75	+
76	+PATCHES=(
77	+ "${FILESDIR}/${P}-CVE-2020-16116.patch"
78	+ "${FILESDIR}/${P}-CVE-2020-24654.patch"
79	+)
80	+
81	+src_configure() {
82	+ local mycmakeargs=(
83	+ $(cmake_use_find_package zip LibZip)
84	+ )
85	+
86	+ ecm_src_configure
87	+}
88	+
89	+src_test() {
90	+ local myctestargs=(
91	+ -E "(plugins-clirartest)"
92	+ )
93	+
94	+ ecm_src_test
95	+}
96	+
97	+pkg_postinst() {
98	+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
99	+ elog "Optional dependencies:"
100	+ optfeature "rar archive creation/extraction" app-arch/rar
101	+ optfeature "rar archive extraction only" app-arch/unar app-arch/unrar
102	+ optfeature "7-Zip archive support" app-arch/p7zip
103	+ optfeature "lrz archive support" app-arch/lrzip
104	+ optfeature "markdown support in text previews" kde-misc/markdownpart:${SLOT} kde-misc/kmarkdownwebview:${SLOT}
105	+ fi
106	+ ecm_pkg_postinst
107	+}
108
109	diff --git a/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch b/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch
110	new file mode 100644
111	index 00000000000..8b3821893ef
112	--- /dev/null
113	+++ b/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch
114	@@ -0,0 +1,53 @@
115	+From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001
116	+From: Fabian Vogt <fabian@×××××××××××.de>
117	+Date: Tue, 25 Aug 2020 22:14:37 +0200
118	+Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive
119	+
120	+There are archive types which allow to first create a symlink and then
121	+later on dereference it. If the symlink points outside of the archive,
122	+this results in writing outside of the destination directory.
123	+
124	+With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids
125	+this situation by verifying that none of the target path components are
126	+symlinks before writing.
127	+
128	+Remove the commented out code in the method, which would actually
129	+misbehave if enabled again.
130	+
131	+Signed-off-by: Fabian Vogt <fabian@×××××××××××.de>
132	+---
133	+ plugins/libarchive/libarchiveplugin.cpp \| 18 +++---------------
134	+ 1 file changed, 3 insertions(+), 15 deletions(-)
135	+
136	+diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp
137	+index 50e81da1..8a0fed21 100644
138	+--- a/plugins/libarchive/libarchiveplugin.cpp
139	++++ b/plugins/libarchive/libarchiveplugin.cpp
140	+@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry)
141	+
142	+ int LibarchivePlugin::extractionFlags() const
143	+ {
144	+- int result = ARCHIVE_EXTRACT_TIME;
145	+- result \|= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
146	+-
147	+- // TODO: Don't use arksettings here
148	+- /*if ( ArkSettings::preservePerms() )
149	+- {
150	+- result &= ARCHIVE_EXTRACT_PERM;
151	+- }
152	+-
153	+- if ( !ArkSettings::extractOverwrite() )
154	+- {
155	+- result &= ARCHIVE_EXTRACT_NO_OVERWRITE;
156	+- }*/
157	+-
158	+- return result;
159	++ return ARCHIVE_EXTRACT_TIME
160	++ \| ARCHIVE_EXTRACT_SECURE_NODOTDOT
161	++ \| ARCHIVE_EXTRACT_SECURE_SYMLINKS;
162	+ }
163	+
164	+ void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress)
165	+--
166	+GitLab
167	+

Gentoo Archives: gentoo-commits