From bbde9aeeaf4faf1f0093a091fdedd7a76294acdb Mon Sep 17 00:00:00 2001 From: John Date: Thu, 13 Aug 2020 20:14:44 +0200 Subject: [PATCH] ark: update to 20.08.0. --- ...92524fed305d6fbe74ddf8a196bc9ffdb92f.patch | 46 ------------------- ...fed305d6fbe74ddf8a196bc9ffdb92f.patch.args | 1 - srcpkgs/ark/template | 6 +-- 3 files changed, 3 insertions(+), 50 deletions(-) delete mode 100644 srcpkgs/ark/patches/0df592524fed305d6fbe74ddf8a196bc9ffdb92f.patch delete mode 100644 srcpkgs/ark/patches/0df592524fed305d6fbe74ddf8a196bc9ffdb92f.patch.args diff --git a/srcpkgs/ark/patches/0df592524fed305d6fbe74ddf8a196bc9ffdb92f.patch b/srcpkgs/ark/patches/0df592524fed305d6fbe74ddf8a196bc9ffdb92f.patch deleted file mode 100644 index 79129c7be6e..00000000000 --- a/srcpkgs/ark/patches/0df592524fed305d6fbe74ddf8a196bc9ffdb92f.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001 -From: Elvis Angelaccio -Date: Wed, 29 Jul 2020 23:45:30 +0200 -Subject: [PATCH] Fix vulnerability to path traversal attacks - -Ark was vulnerable to directory traversal attacks because of -missing validation of file paths in the archive. - -More details about this attack are available at: -https://github.com/snyk/zip-slip-vulnerability - -Job::onEntry() is the only place where we can safely check the path of -every entry in the archive. There shouldn't be a valid reason -to have a "../" in an archive path, so we can just play safe and abort -the LoadJob if we detect such an entry. This makes impossibile to -extract this kind of malicious archives and perform the attack. - -Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath() -so that we can still allow loading of legitimate archives that -contain "../" in their paths but still resolve inside the extraction folder. ---- - kerfuffle/jobs.cpp | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp -index fdaa48695..f73b56f86 100644 ---- a/kerfuffle/jobs.cpp -+++ b/kerfuffle/jobs.cpp -@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details) - - void Job::onEntry(Archive::Entry *entry) - { -+ const QString entryFullPath = entry->fullPath(); -+ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) { -+ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath; -+ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString()); -+ onFinished(false); -+ return; -+ } -+ - emit newEntry(entry); - } - --- -GitLab - diff --git a/srcpkgs/ark/patches/0df592524fed305d6fbe74ddf8a196bc9ffdb92f.patch.args b/srcpkgs/ark/patches/0df592524fed305d6fbe74ddf8a196bc9ffdb92f.patch.args deleted file mode 100644 index 2eba1cb3c5c..00000000000 --- a/srcpkgs/ark/patches/0df592524fed305d6fbe74ddf8a196bc9ffdb92f.patch.args +++ /dev/null @@ -1 +0,0 @@ --Np1 diff --git a/srcpkgs/ark/template b/srcpkgs/ark/template index ab2766bbb86..16dc1dcfe8e 100644 --- a/srcpkgs/ark/template +++ b/srcpkgs/ark/template @@ -1,7 +1,7 @@ # Template file for 'ark' pkgname=ark -version=20.04.3 -revision=2 +version=20.08.0 +revision=1 build_style=cmake hostmakedepends="extra-cmake-modules qt5-devel qt5-qmake kdoctools kconfig gettext pkg-config" @@ -11,7 +11,7 @@ maintainer="John " license="GPL-2.0-or-later" homepage="https://kde.org/applications/en/utilities/org.kde.ark" distfiles="${KDE_SITE}/release-service/${version}/src/${pkgname}-${version}.tar.xz" -checksum=e7251b0b6f12291ffbaa328bf7f8e101ebeef6fd110dabbcf76d8ad7cfd305bc +checksum=7627ffa17466d31dfdedabaa07b491ce14b46041d04f8b20316a0fa731fab098 if [ "$CROSS_BUILD" ]; then hostmakedepends+=" python3 kcoreaddons kparts"