notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
All times are UTC
non port: archivers/ark/files/patch-cve_2020-24654

Number of commits found: 1

Friday, 28 Aug 2020
05:47 tcberner search for other commits by this committer
archivers/ark: fix vulnerability in tar extraction

KDE Project Security Advisory

Title:           Ark: maliciously crafted TAR archive with symlinks can install
files outside the extraction directory.
Risk Rating:     Important
CVE:             CVE-2020-24654
Versions:        ark <= 20.08.0
Author:          Elvis Angelaccio <>
Date:            27 August 2020


A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.

Proof of concept

For testing, an example of malicious archive can be found at


Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart.


Before extracting a downloaded archive using the Ark GUI, users should inspect
to make sure it doesn't contain symlink entries pointing outside the extraction

The 'Extract' context menu from the Dolphin file manager shouldn't be used.


Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.

can be applied to previous


Thanks to Fabian Vogt for reporting this issue and for fixing it.

MFH:		2020Q3
Security:	CVE-2020-24654
Original commitRevision:546706 

Number of commits found: 1