Ubuntu
ark package

CVE-2017-5330 - Ark: unintended execution of scripts and executable files

Bug #1655507 reported by Rik Mills
276
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ark (Ubuntu)
Fix Released
Medium
Unassigned
Xenial
Fix Released
High
Unassigned
Yakkety
Fix Released
High
Unassigned
Zesty
Fix Released
Medium
Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: Ark: unintended execution of scripts and executable files
Risk Rating: Important
CVE: CVE-2017-5330
Versions: ark >= 15.12
Author: Elvis Angelaccio <email address hidden>
Date: 12 January 2017

Overview
========

Through a (possibly malicious) tar archive that contains an
executable shell script or binary, it was possible to execute
arbitrary code on target machines.
KRun::runUrl() has a runExecutable argument which defaults to true.
Ark was using this default value and was also not checking
whether an extracted file was executable before passing it to the
runUrl() function.

Impact
======

An attacker can send legitimate tar archives with executable scripts or
binaries disguised as normal files (say, with README or LICENSE as filenames).
The attacker then can trick a user to select those files and click
the Open button in the Ark toolbar, which triggers the affected code.

Workaround
==========

Don't use the File -> Open functionality of Ark.
You can still open archives (Archive->Open) and extract them.

Solution
========

Update to Ark >= 16.12.1

For older releases of Ark, apply the following patches:

Applications/16.08 branch: https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3
Applications/16.04 branch: https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776
Applications/15.12 branch: https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b

Credits
=======

Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for
fixing this issue.

See original description
Tags: patch

CVE References

Clive Johnston (clivejo)
Changed in ark (Ubuntu Xenial):
importance: Undecided → High
Changed in ark (Ubuntu Yakkety):
importance: Undecided → High
Changed in ark (Ubuntu Zesty):
importance: Undecided → Medium
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in ark (Ubuntu):
status: New → Incomplete
Changed in ark (Ubuntu Xenial):
status: New → Incomplete
Changed in ark (Ubuntu Yakkety):
status: New → Incomplete
information type: Private Security → Public Security
Revision history for this message
Clive Johnston (clivejo) wrote :

I have a debdiff for Xenial, but due to my lack of resources (pathetic slow internet and old system) I can't test it.

https://launchpad.net/~kubuntu-ninjas/+archive/ubuntu/ppa/+packages?field.name_filter=ark&field.status_filter=published&field.series_filter=

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
vishnunaini (visred) wrote :

I am including a debdiff for yakkety

Clive if you want I can build it in my ppa. I already started building for yakkety. Please test it and sponsor these diffs https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+packages

Revision history for this message
vishnunaini (visred) wrote :

I tested it and no problems on yakkety. I was trying to send a merge proposal but I am unable to find the bzr branch.

Although ark is present at lp:ark , bzr can't pull from there for some reason. Tried using git too. Still can't find the branch.

Changed in ark (Ubuntu Xenial):
status: Incomplete → Confirmed
Changed in ark (Ubuntu Yakkety):
status: Incomplete → Confirmed
Changed in ark (Ubuntu Zesty):
status: Incomplete → Confirmed
Revision history for this message
Rik Mills (rikmills) wrote : Re: [Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

On 17/01/17 08:52, visred wrote:
> I tested it and no problems on yakkety. I was trying to send a merge
> proposal but I am unable to find the bzr branch.
>
> Although ark is present at lp:ark , bzr can't pull from there for some
> reason. Tried using git too. Still can't find the branch.

Here:
https://code.launchpad.net/~kubuntu-packagers/kubuntu-packaging/+git/ark

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Subscribing ubuntu-security-sponsors so this gets looked at.

Revision history for this message
vishnunaini (visred) wrote :

New debdiff.patch that conforms ubuntu security sponsorship procedures

Revision history for this message
Simon Quigley (tsimonq2) wrote :

KDE Applications 16.12.1 seems to be uploaded to Zesty (excluding PIM) and it includes Ark 16.12.1, which has this fix baked in. https://launchpad.net/ubuntu/+source/ark/4:16.12.1-0ubuntu1

I'm marking this as Fix Committed in Zesty, and if someone could mark this as Fix Released once it gets through to zesty-release, that would be great. Looks like someone forgot to put this bug number in the changelog.

Changed in ark (Ubuntu Zesty):
status: Confirmed → Fix Committed
description: updated
Revision history for this message
Rik Mills (rikmills) wrote :

On 20/01/17 03:42, Simon Quigley wrote:
> I'm marking this as Fix Committed in Zesty, and if someone could mark
> this as Fix Released once it gets through to zesty-release, that would
> be great. Looks like someone forgot to put this bug number in the
> changelog.

I did, thanks.

Rik Mills (rikmills)
Changed in ark (Ubuntu Zesty):
status: Fix Committed → Fix Released
Emily Ratliff (emilyr)
Changed in ark (Ubuntu Yakkety):
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ark - 4:16.04.3a-0ubuntu2.2

---------------
ark (4:16.04.3a-0ubuntu2.2) yakkety-security; urgency=medium

  * SECURITY UPDATE:unintended execution of scripts and executable files
      - debian/patches/no-exec-during-url-open.patch
      - Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for fixing this issue.
      - CVE-2017-5330
      - fixes (LP: #1655507)

 -- Vishnu Vardhan Reddy Naini <email address hidden> Thu, 19 Jan 2017 03:10:04 +0530

Changed in ark (Ubuntu Yakkety):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ark - 4:15.12.3-0ubuntu1.1

---------------
ark (4:15.12.3-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Stop running executables when opening urls (LP: #1655507)
    - debian/patches/00_disable_open_functionality.patch
    - CVE-2017-5530

 -- Clive Johnston <email address hidden> Wed, 11 Jan 2017 16:42:19 +0000

Changed in ark (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.