1 |
commit: f25fa2d93956341a938c84f2da5057b8fe2e259c |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Sep 28 18:40:24 2020 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Sep 28 21:28:22 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25fa2d9 |
7 |
|
8 |
kde-apps/ark: Fix CVE-2020-24654 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/743959 |
11 |
Package-Manager: Portage-3.0.8, Repoman-3.0.1 |
12 |
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> |
13 |
|
14 |
kde-apps/ark/ark-20.04.3-r2.ebuild | 84 ++++++++++++++++++++++ |
15 |
.../ark/files/ark-20.04.3-CVE-2020-24654.patch | 53 ++++++++++++++ |
16 |
2 files changed, 137 insertions(+) |
17 |
|
18 |
diff --git a/kde-apps/ark/ark-20.04.3-r2.ebuild b/kde-apps/ark/ark-20.04.3-r2.ebuild |
19 |
new file mode 100644 |
20 |
index 00000000000..d77562b55a7 |
21 |
--- /dev/null |
22 |
+++ b/kde-apps/ark/ark-20.04.3-r2.ebuild |
23 |
@@ -0,0 +1,84 @@ |
24 |
+# Copyright 1999-2020 Gentoo Authors |
25 |
+# Distributed under the terms of the GNU General Public License v2 |
26 |
+ |
27 |
+EAPI=7 |
28 |
+ |
29 |
+ECM_HANDBOOK="forceoptional" |
30 |
+ECM_TEST="optional" |
31 |
+KFMIN=5.70.0 |
32 |
+QTMIN=5.14.2 |
33 |
+VIRTUALX_REQUIRED="test" |
34 |
+inherit ecm kde.org optfeature |
35 |
+ |
36 |
+DESCRIPTION="File archiver by KDE" |
37 |
+HOMEPAGE="https://kde.org/applications/en/ark |
38 |
+https://utils.kde.org/projects/ark/" |
39 |
+ |
40 |
+LICENSE="GPL-2" # TODO: CHECK |
41 |
+SLOT="5" |
42 |
+KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86" |
43 |
+IUSE="zip" |
44 |
+ |
45 |
+BDEPEND=" |
46 |
+ sys-devel/gettext |
47 |
+" |
48 |
+RDEPEND=" |
49 |
+ app-arch/libarchive:=[bzip2,lzma,zlib] |
50 |
+ >=dev-qt/qtdbus-${QTMIN}:5 |
51 |
+ >=dev-qt/qtgui-${QTMIN}:5 |
52 |
+ >=dev-qt/qtwidgets-${QTMIN}:5 |
53 |
+ >=kde-frameworks/karchive-${KFMIN}:5 |
54 |
+ >=kde-frameworks/kcompletion-${KFMIN}:5 |
55 |
+ >=kde-frameworks/kconfig-${KFMIN}:5 |
56 |
+ >=kde-frameworks/kconfigwidgets-${KFMIN}:5 |
57 |
+ >=kde-frameworks/kcoreaddons-${KFMIN}:5 |
58 |
+ >=kde-frameworks/kcrash-${KFMIN}:5 |
59 |
+ >=kde-frameworks/kdbusaddons-${KFMIN}:5 |
60 |
+ >=kde-frameworks/ki18n-${KFMIN}:5 |
61 |
+ >=kde-frameworks/kio-${KFMIN}:5 |
62 |
+ >=kde-frameworks/kitemmodels-${KFMIN}:5 |
63 |
+ >=kde-frameworks/kjobwidgets-${KFMIN}:5 |
64 |
+ >=kde-frameworks/kparts-${KFMIN}:5 |
65 |
+ >=kde-frameworks/kpty-${KFMIN}:5 |
66 |
+ >=kde-frameworks/kservice-${KFMIN}:5 |
67 |
+ >=kde-frameworks/kwidgetsaddons-${KFMIN}:5 |
68 |
+ >=kde-frameworks/kxmlgui-${KFMIN}:5 |
69 |
+ sys-libs/zlib |
70 |
+ zip? ( >=dev-libs/libzip-1.2.0:= ) |
71 |
+" |
72 |
+DEPEND="${RDEPEND} |
73 |
+ >=dev-qt/qtconcurrent-${QTMIN}:5 |
74 |
+" |
75 |
+ |
76 |
+PATCHES=( |
77 |
+ "${FILESDIR}/${P}-CVE-2020-16116.patch" |
78 |
+ "${FILESDIR}/${P}-CVE-2020-24654.patch" |
79 |
+) |
80 |
+ |
81 |
+src_configure() { |
82 |
+ local mycmakeargs=( |
83 |
+ $(cmake_use_find_package zip LibZip) |
84 |
+ ) |
85 |
+ |
86 |
+ ecm_src_configure |
87 |
+} |
88 |
+ |
89 |
+src_test() { |
90 |
+ local myctestargs=( |
91 |
+ -E "(plugins-clirartest)" |
92 |
+ ) |
93 |
+ |
94 |
+ ecm_src_test |
95 |
+} |
96 |
+ |
97 |
+pkg_postinst() { |
98 |
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then |
99 |
+ elog "Optional dependencies:" |
100 |
+ optfeature "rar archive creation/extraction" app-arch/rar |
101 |
+ optfeature "rar archive extraction only" app-arch/unar app-arch/unrar |
102 |
+ optfeature "7-Zip archive support" app-arch/p7zip |
103 |
+ optfeature "lrz archive support" app-arch/lrzip |
104 |
+ optfeature "markdown support in text previews" kde-misc/markdownpart:${SLOT} kde-misc/kmarkdownwebview:${SLOT} |
105 |
+ fi |
106 |
+ ecm_pkg_postinst |
107 |
+} |
108 |
|
109 |
diff --git a/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch b/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch |
110 |
new file mode 100644 |
111 |
index 00000000000..8b3821893ef |
112 |
--- /dev/null |
113 |
+++ b/kde-apps/ark/files/ark-20.04.3-CVE-2020-24654.patch |
114 |
@@ -0,0 +1,53 @@ |
115 |
+From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001 |
116 |
+From: Fabian Vogt <fabian@×××××××××××.de> |
117 |
+Date: Tue, 25 Aug 2020 22:14:37 +0200 |
118 |
+Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive |
119 |
+ |
120 |
+There are archive types which allow to first create a symlink and then |
121 |
+later on dereference it. If the symlink points outside of the archive, |
122 |
+this results in writing outside of the destination directory. |
123 |
+ |
124 |
+With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids |
125 |
+this situation by verifying that none of the target path components are |
126 |
+symlinks before writing. |
127 |
+ |
128 |
+Remove the commented out code in the method, which would actually |
129 |
+misbehave if enabled again. |
130 |
+ |
131 |
+Signed-off-by: Fabian Vogt <fabian@×××××××××××.de> |
132 |
+--- |
133 |
+ plugins/libarchive/libarchiveplugin.cpp | 18 +++--------------- |
134 |
+ 1 file changed, 3 insertions(+), 15 deletions(-) |
135 |
+ |
136 |
+diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp |
137 |
+index 50e81da1..8a0fed21 100644 |
138 |
+--- a/plugins/libarchive/libarchiveplugin.cpp |
139 |
++++ b/plugins/libarchive/libarchiveplugin.cpp |
140 |
+@@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry) |
141 |
+ |
142 |
+ int LibarchivePlugin::extractionFlags() const |
143 |
+ { |
144 |
+- int result = ARCHIVE_EXTRACT_TIME; |
145 |
+- result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; |
146 |
+- |
147 |
+- // TODO: Don't use arksettings here |
148 |
+- /*if ( ArkSettings::preservePerms() ) |
149 |
+- { |
150 |
+- result &= ARCHIVE_EXTRACT_PERM; |
151 |
+- } |
152 |
+- |
153 |
+- if ( !ArkSettings::extractOverwrite() ) |
154 |
+- { |
155 |
+- result &= ARCHIVE_EXTRACT_NO_OVERWRITE; |
156 |
+- }*/ |
157 |
+- |
158 |
+- return result; |
159 |
++ return ARCHIVE_EXTRACT_TIME |
160 |
++ | ARCHIVE_EXTRACT_SECURE_NODOTDOT |
161 |
++ | ARCHIVE_EXTRACT_SECURE_SYMLINKS; |
162 |
+ } |
163 |
+ |
164 |
+ void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress) |
165 |
+-- |
166 |
+GitLab |
167 |
+ |