PublicDateAtUSN: 2020-08-03 20:15:00 UTC
Candidate: CVE-2020-16116
PublicDate: 2020-08-03 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16116
 https://kde.org/info/security/advisory-20200730-1.txt
 https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
 https://github.com/KDE/ark/commits/master
 https://www.debian.org/security/2020/dsa-4738
 https://ubuntu.com/security/notices/USN-4461-1
Description:
 In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can
 install files outside the extraction directory via ../ directory traversal.
Ubuntu-Description:
 Dominik Penner discovered that Ark did not properly sanitize zip
 archive files before performing extraction. An attacker could use
 this to construct a malicious zip archive that, when opened, would
 create files outside the extraction directory.
Notes:
Mitigation:
Bugs:
 https://bugs.launchpad.net/ubuntu/focal/+source/ark/+bug/1889672
Priority: medium
Discovered-by: Dominik Penner
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N [3.3 LOW]


Patches_ark:
upstream_ark: released (4:20.04.3-1)
precise/esm_ark: DNE
trusty_ark: ignored (out of standard support)
trusty/esm_ark: DNE
xenial_ark: ignored (end of standard support, was needs-triage)
bionic_ark: released (4:17.12.3-0ubuntu1.1)
focal_ark: released (4:19.12.3-0ubuntu1.1)
groovy_ark: not-affected (4:20.04.3-1)
hirsute_ark: not-affected (4:20.04.3-1)
impish_ark: not-affected (4:20.04.3-1)
jammy_ark: not-affected (4:20.04.3-1)
devel_ark: not-affected (4:20.04.3-1)