notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
All times are UTC
non port: archivers/ark/files/patch-git_0d5952

Number of commits found: 1

Thursday, 30 Jul 2020
04:32 tcberner search for other commits by this committer
archivers/ark: security fix

KDE Project Security Advisory

Title:           Ark: maliciously crafted archive can install files outside the
extraction directory.
Risk Rating:     Important
CVE:             CVE-2020-16116
Versions:        ark <= 20.04.3
Author:          Elvis Angelaccio <>
Date:            30 July 2020


A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.

Proof of concept

For testing, an example of malicious archive can be found at


Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart


Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect
to make sure it doesn't contain entries with "../" in the file path.


Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.

can be applied to previous releases.


Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.
Original commitRevision:543704 

Number of commits found: 1