non port: archivers/ark/files |
Number of commits found: 10 |
Thursday, 3 Sep 2020
|
14:48 tcberner
Update KDE Applications (release-service) to 20.08.1
|
Friday, 28 Aug 2020
|
05:47 tcberner
archivers/ark: fix vulnerability in tar extraction
KDE Project Security Advisory
=============================
Title: Ark: maliciously crafted TAR archive with symlinks can install
files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-24654
Versions: ark <= 20.08.0
Author: Elvis Angelaccio <elvis.angelaccio@kde.org>
Date: 27 August 2020
Overview
========
A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart.
Workaround
==========
Before extracting a downloaded archive using the Ark GUI, users should inspect
it
to make sure it doesn't contain symlink entries pointing outside the extraction
folder.
The 'Extract' context menu from the Dolphin file manager shouldn't be used.
Solution
========
Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.
Alternatively,
https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
can be applied to previous
releases.
Credits
=======
Thanks to Fabian Vogt for reporting this issue and for fixing it.
MFH: 2020Q3
Security: CVE-2020-24654
|
Thursday, 13 Aug 2020
|
17:10 tcberner
KDE's August 2020 Apps Update
Dozens of KDE apps are getting new releases from KDE's release service. New
features, usability improvements, re-designs and bug fixes all contribute to
helping boost your productivity and making this new batch of applications more
efficient and pleasant to use.
Full announcement:
https://kde.org/announcements/releases/2020-08-apps-update/
|
Thursday, 30 Jul 2020
|
04:32 tcberner
archivers/ark: security fix
KDE Project Security Advisory
=============================
Title: Ark: maliciously crafted archive can install files outside the
extraction directory.
Risk Rating: Important
CVE: CVE-2020-16116
Versions: ark <= 20.04.3
Author: Elvis Angelaccio <elvis.angelaccio@kde.org>
Date: 30 July 2020
Overview
========
A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart
Workaround
==========
Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect
it
to make sure it doesn't contain entries with "../" in the file path.
Solution
========
Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.
Alternatively,
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
can be applied to previous releases.
Credits
=======
Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.
|
Thursday, 15 Aug 2019
|
15:38 adridg
Update KDE Applications to latest upstream release, 19.08
Release announcement
https://kde.org/announcements/announce-applications-19.08.0.php
Thanks to tcberner for doing most of the prep-work.
|
10:01 adridg
Update KDE Frameworks to latest upstream release, 5.61
Release notes at
https://kde.org/announcements/kde-frameworks-5.61.0.php
Thanks to
antoine@ for the exp-runs,
tcberner@ for most of the prep-work,
the Gentoo community for cherry-picking patches
There are a bunch of changes in (implicitly included) headers, which
broke existing KDE Applications builds; that's why there are a whole
bunch of "patch-gentoo-kf5-5.61-headers" patches (taken from Gentoo
packaging). Those will go away with the next KDE Applications release,
PR: 239777
Submitted by: tcberner
|
Thursday, 18 Apr 2019
|
16:55 tcberner
Update KDE Applications to 19.04.0
The changelog can be found here:
- https://kde.org/announcements/announce-applications-19.04.0.php
Due to crashes on start, multimedia/kdenlive was kept at 18.12.3 for now.
|
Sunday, 8 Apr 2018
|
12:12 adridg
Fix build of archivers/ark on 10.3 (old clang). Make the return
type of the lambda explicit, to avoid this build error:
error: return type 'QString' must match previous return type 'const QString'
when lambda expression has unspecified explicit return type
return QString();
Reported by: pkg-fallout
Approved by: tcberner (mentor, implicit)
|
Friday, 6 Apr 2018
|
20:11 tcberner
New port: archivers/ark
This is the current version of KDE Applications <foo>.
Note that users of KDE SC4 should stick with <foo>-kde4.
Reviewed by: adridg
Differential Revision: https://reviews.freebsd.org/D14822
|
Wednesday, 11 Mar 2015
|
23:11 alonso
Update KDE SC to 4.14.3
The kde@ team presents KDE SC 4.14.3, the last planed release
of the KDE SC 4 series.
In addition to the updates provided by the KDE SC developers, this
update also addresses numerous FreeBSD and PORTS specific
issues, found and solved by the kde@ team and area51 testers,
most notorously Tobias C. Berner <tcberner@gmail.com>
PR: 197751
PR: 197871
PR: 184996
Reviewed by: rakuco (mentor)
Differential: https://reviews.freebsd.org/D1950
|
Number of commits found: 10 |