diff options
author | Tobias C. Berner <tcberner@FreeBSD.org> | 2020-08-13 17:10:30 +0000 |
---|---|---|
committer | Tobias C. Berner <tcberner@FreeBSD.org> | 2020-08-13 17:10:30 +0000 |
commit | 0edfaee1ed970ab80a259d920b20cc1a2c0be6ba (patch) | |
tree | a300988022b47481632f3ac4326106c1d20ffb7b /archivers/ark | |
parent | eab6fd195eb5c41f1d6fbe53a0d1f7a9af762712 (diff) | |
download | ports-0edfaee1ed970ab80a259d920b20cc1a2c0be6ba.tar.gz ports-0edfaee1ed970ab80a259d920b20cc1a2c0be6ba.zip |
Notes
Diffstat (limited to 'archivers/ark')
-rw-r--r-- | archivers/ark/Makefile | 3 | ||||
-rw-r--r-- | archivers/ark/distinfo | 6 | ||||
-rw-r--r-- | archivers/ark/files/patch-git_0d5952 | 46 |
3 files changed, 4 insertions, 51 deletions
diff --git a/archivers/ark/Makefile b/archivers/ark/Makefile index ccb83d480709..7a200dfcfaf5 100644 --- a/archivers/ark/Makefile +++ b/archivers/ark/Makefile @@ -2,7 +2,6 @@ PORTNAME= ark DISTVERSION= ${KDE_APPLICATIONS_VERSION} -PORTREVISION= 1 CATEGORIES= archivers kde kde-applications MAINTAINER= kde@FreeBSD.org @@ -42,6 +41,6 @@ ZIP_LIB_DEPENDS= libzip.so:archivers/libzip ZIP_CMAKE_BOOL_OFF= CMAKE_DISABLE_FIND_PACKAGE_LibZip # Override shared library version -KDE_APPLICATIONS_SHLIB_VER=20.4.3 +KDE_APPLICATIONS_SHLIB_VER=20.8.0 .include <bsd.port.mk> diff --git a/archivers/ark/distinfo b/archivers/ark/distinfo index 507c979ec829..6353108cde90 100644 --- a/archivers/ark/distinfo +++ b/archivers/ark/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1594146930 -SHA256 (KDE/release-service/20.04.3/ark-20.04.3.tar.xz) = e7251b0b6f12291ffbaa328bf7f8e101ebeef6fd110dabbcf76d8ad7cfd305bc -SIZE (KDE/release-service/20.04.3/ark-20.04.3.tar.xz) = 2586436 +TIMESTAMP = 1596814078 +SHA256 (KDE/release-service/20.08.0/ark-20.08.0.tar.xz) = 7627ffa17466d31dfdedabaa07b491ce14b46041d04f8b20316a0fa731fab098 +SIZE (KDE/release-service/20.08.0/ark-20.08.0.tar.xz) = 2708180 diff --git a/archivers/ark/files/patch-git_0d5952 b/archivers/ark/files/patch-git_0d5952 deleted file mode 100644 index db355866686c..000000000000 --- a/archivers/ark/files/patch-git_0d5952 +++ /dev/null @@ -1,46 +0,0 @@ -From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001 -From: Elvis Angelaccio <elvis.angelaccio@kde.org> -Date: Wed, 29 Jul 2020 23:45:30 +0200 -Subject: [PATCH] Fix vulnerability to path traversal attacks - -Ark was vulnerable to directory traversal attacks because of -missing validation of file paths in the archive. - -More details about this attack are available at: -https://github.com/snyk/zip-slip-vulnerability - -Job::onEntry() is the only place where we can safely check the path of -every entry in the archive. There shouldn't be a valid reason -to have a "../" in an archive path, so we can just play safe and abort -the LoadJob if we detect such an entry. This makes impossibile to -extract this kind of malicious archives and perform the attack. - -Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath() -so that we can still allow loading of legitimate archives that -contain "../" in their paths but still resolve inside the extraction folder. ---- - kerfuffle/jobs.cpp | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp -index fdaa48695..f73b56f86 100644 ---- kerfuffle/jobs.cpp -+++ kerfuffle/jobs.cpp -@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details) - - void Job::onEntry(Archive::Entry *entry) - { -+ const QString entryFullPath = entry->fullPath(); -+ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) { -+ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath; -+ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString()); -+ onFinished(false); -+ return; -+ } -+ - emit newEntry(entry); - } - --- -GitLab - |