KDE Project Security Advisory
=============================
Title: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-24654
Versions: ark <= 20.08.0
Author: Elvis Angelaccio <elvis.angelaccio@kde.org>
Date: 27 August 2020
Overview
========
A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart.
Workaround
==========
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain symlink entries pointing outside the extraction folder.
The 'Extract' context menu from the Dolphin file manager shouldn't be used.
Solution
========
Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.
Alternatively, 8bf8c5ef07 can be applied to previous
releases.
Credits
=======
Thanks to Fabian Vogt for reporting this issue and for fixing it.
MFH: 2020Q3
Security: CVE-2020-24654
Dozens of KDE apps are getting new releases from KDE’s release service. New
features, usability improvements, re-designs and bug fixes all contribute to
helping boost your productivity and making this new batch of applications more
efficient and pleasant to use.
Full announcement:
https://kde.org/announcements/releases/2020-08-apps-update/
KDE Project Security Advisory
=============================
Title: Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-16116
Versions: ark <= 20.04.3
Author: Elvis Angelaccio <elvis.angelaccio@kde.org>
Date: 30 July 2020
Overview
========
A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart
Workaround
==========
Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain entries with "../" in the file path.
Solution
========
Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.
Alternatively,
0df592524f
can be applied to previous releases.
Credits
=======
Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.
Release notes at
https://kde.org/announcements/kde-frameworks-5.61.0.php
Thanks to
antoine@ for the exp-runs,
tcberner@ for most of the prep-work,
the Gentoo community for cherry-picking patches
There are a bunch of changes in (implicitly included) headers, which
broke existing KDE Applications builds; that's why there are a whole
bunch of "patch-gentoo-kf5-5.61-headers" patches (taken from Gentoo
packaging). Those will go away with the next KDE Applications release,
PR: 239777
Submitted by: tcberner
As the patch says, when ZSTD support is present creating a regular .tar archive
will end up creating a zstd file instead. In my tests, this prevented
adding/remove entries from the archive at all.
MFH: 2019Q1
type of the lambda explicit, to avoid this build error:
error: return type 'QString' must match previous return type 'const QString' when lambda expression has unspecified explicit return type
return QString();
Reported by: pkg-fallout
Approved by: tcberner (mentor, implicit)
In order to make room for the up-to-date version of the KDE Desktop and its
applications move the KDE Application ports based on Qt4.
PR: 225992
Exp-run by: antoine
Reviewed by: rakuco, adridg
Differential Revision: https://reviews.freebsd.org/D14413
The kde@ team presents KDE SC 4.14.3, the last planed release
of the KDE SC 4 series.
In addition to the updates provided by the KDE SC developers, this
update also addresses numerous FreeBSD and PORTS specific
issues, found and solved by the kde@ team and area51 testers,
most notorously Tobias C. Berner <tcberner@gmail.com>
PR: 197751
PR: 197871
PR: 184996
Reviewed by: rakuco (mentor)
Differential: https://reviews.freebsd.org/D1950
4.7.2. The official release notes can be found at:
http://kde.org/announcements/announce-4.7.2.php
This release ships with many improvements. Read more about them here:
http://FreeBSD.kde.org/news.php#itemKDESC472availableinports
We'd like to say thanks to all testers and contributors, especially to
lwhsu@ for his effort on hosting our test packages.
PR: 156293 [1]
159219 [2]
160164 [3]
Submitted by: Oleg Sidorkin <osidorkin@gmail.com> [1]
Alvaro Castillo <gobledb@gmail.com> [2]
dkeav04@gmail.com [3]
Tested by: exp-run via pav
for FreeBSD. The official KDE 4.3.0 (Codename: "Caizen") release
notes can be found at:
http://kde.org/announcements/4.3/index.php.
We'd like to say thanks to all helpers and submitters.
Tested by: pointyhat-exp-run (pav/miwi)
multimedia/phonon port has been split into phonon itself, phonon-xine
and phono-gstreamer backends. After updating phonon port you have
to install at least one backend. phonon-xine backend is recommended
for KDE.
for FreeBSD. The official KDE 4.2.0 (Codename: "The Answer") release
notes can be found at:
http://kde.org/announcements/4.2/index.php.
New supported languages include Arabic, Icelandic, Basque,
Hebrew, Romanian, Tajik and several Indian languages (Bengali India,
Gujarati, Kannada, Maithili, Marathi) indicating a rise in popularity in
this part of Asia.
New ports for KDE 4.2.0:
arabic/kde4-l10n Arabic
hebrew/kde4-l10n Hebrew
misc/kde4-l10n-bn_IN Bengali (India)
misc/kde4-l10n-eu Basque
misc/kde4-l10n-gu Gujarati
misc/kde4-l10n-is Icelandic
misc/kde4-l10n-kn Kannada
misc/kde4-l10n-mai Maithili
misc/kde4-l10n-mr Marathi
misc/kde4-l10n-ro Romanian
misc/kde4-l10n-tg Tajik
math/eigen2 Lightweight library for vector and matrix math
graphics/kipi-plugins-kde4 KDE4 kipi graphics plugins
sysutils/policykit-kde PolicyKit manager for KDE
Unfortunately FreeBSD 6.4 support is dropped.
We'd like to say thanks for feedback and help to:
Matt Tosto, Kris Moore, stickibit, David Johnson, Markus Brueffer,
David Naylor, Thomas Schlesinger, Warren Liddell, Thomas Abthorpe,
Diego Depaoli, Mats Andreassen, portmgr for exp-run and repocopies.
for FreeBSD. The official KDE 4.1.1 release notes can be found at
http://www.kde.org/announcements/changelogs/changelog4_1to4_1_1.php.
KDE Community ships sirst translation and service release of the 4.1
dree desktop, containing numerous bugfixes, Performance Improvements
and Translation Updates.
Pretty much all applications have received the developers' attention,
resulting in a long list of bugfixes and improvements. The most significant
changes are:
* Significant performance, interaction and rendering correctness
improvements in KHTML and Konqueror, KDE's web browser
* User interaction, rendering and stability fixes in Plasma,
the KDE4 desktop shell
* PDF backend fixes in the document viewer Okular
* Fixes in Gwenview, the image viewer's thumbnailing, more
robust retrieval and display of images with broken metadata
* Stability and interaction fixes in KMail
New Ports:
- graphics/kcoloredit
* KColorEdit is a palette files editor. It can be used
for editing color palettes and for color choosing and
naming.
- graphics/kgraphviewer
* KGraphViewer is a GraphViz DOT graph viewer for KDE. The
GraphViz programs are free-software layout engines for graphs.
KGraphViewer displays the graphs in a modern, user-friendly GUI
with all the power of a well integrated KDE application.
- graphics/kiconedit
* KIconEdit is designed to help create icons for KDE using the standard
icon palette.
- graphics/skanlite
* Skanlite is a simple image scanning application that does nothing
more than scan and save images. Skanlite can open a save dialog for
every image scanned or save the images immediately in a specified
directory with auto-generated names and format. The user can also
choose to show the scanned image before saving.
for FreeBSD. The official KDE 4.1.0 release notes can be found at
http://www.kde.org/announcements/4.1/.
Some note:
* Prefix
KDE4 will be install into a custom prefixes namely ${LOCALBASE}/kde4.
KDE4 and KDE3 can co-exist
* Sound
For sound to work, it is necessary to have dbus and hal enabled
in your system. Please see the respective documentation on how
to enable these.
For more Informations see the HEADS UP at ports@ and kde-freebsd@
or our wiki page http://wiki.freebsd.org/KDE4/Install.
Have fun!
-current archs). This has been broken for over 3 months.
configure incorrectly assumes that since FreeBSD has sqrtl,
that it also has other long math functions. Also, configure
seems to have 2 separate checks for the long math functions:
the first check looks for both asinl and sqrtl, the second
check looks for just sqrtl. FreeBSD does not currently have
asinl, so if configure just went by the first check it would
correctly determine that we do not have all the long math
functions. Remove the second check to fix the problem.
No response from: kde@
into separate ports. The OPTIONS will remain as of yet and trigger dependencies
now, for easy transition.
Update KOffice to version 1.3.2.
Add patches to fix a number of issues, including:
- fix kxkb on Xorg
- fix kdemultimedia WITH_MPEGLIB (now mpeglib_artsplug) compilation on gcc 3.4.2
with optimizations greater than -O
Add security related patches and entries to portaudit.txt.
Important changes:
==================
KDE:
- Audio/arts does not install artswrapper anymore, instead it is provided by
audio/artswrapper. See UPDATING.
- misc/kdeaddons3 is now a metaport with
editors/kate-plugins
editors/vimpart
games/atlantikdesigner
misc/kaddressbook-plugins
misc/kfile-plugins
misc/kicker-applets
misc/knewsticker-scripts
misc/konq-plugins
misc/ksig
misc/renamedlgplugins
multimedia/noatun-plugins
net/kontact-plugins
as slave ports.
- A number of KDE ports now uses OPTIONS do make various WITH_* options more
visible.
- Plist fixes
- devel/kdevelop should be able to detect FreeBSD's autoconf/automake now for
newly created projects.
- kdebase will no longer remove previous KDM configurations. This won't take
effect during the update from 3.2.0 to 3.2.1 (as deinstalling 3.2.0 will still
remove the configuration), but subsequent updates will merge old configs.
QT:
- Previous versions of QT could be compiled with debugging-support enabled by
defining DEBUG. This switch has been renamed to the more unambiguous
WANT_QT_DEBUG (similar to WANT_KDE_DEBUG in the KDE ports).
Important changes:
==================
- Kmail and knode have been moved from kdenetwork to kdepim. This
means you will have to install kdepim if you want to continue using
kmail or knode. This is to ease integration with korganizer, in
the new 'Kontact' application.
- The arabic translations for KDE and KOffice have been moved from
misc to the arabic category.
- There is a new module called kdeaccessibility in the accessibility
category. It contains a few utilities for disabled users like a
magnification lens and a text-to-speech frontend.
- In KDM, you need to select the 'CUSTOM' session profile in order
to have your .xsession executed. This is particularly important if
you're using the aegypten tools
(http://freebsd.kde.org/howtos/aegypten-kmail.php).
- We have started making more parts of the ports optional. In kdepim,
both Kandy and KPilot can be turned off with ports-knobs. This
process will continue in the 3.2 series.
Official KDE 3.1.3 announcement:
http://www.kde.org/announcements/announce-3.1.3.php
(may not work until a few hours after this commit - we jumped the gun a little
in order to have the update in place at the time the security notifications for
KDE 3.1.2 will be released together with the announcement of KDE 3.1.3).
Changelog from 3.1.2 to 3.1.3 release:
http://www.kde.org/announcements/changelogs/changelog3_1_2to3_1_3.php
Thanks and credits need to go to the whole KDE-FreeBSD team, as well
as everyone on kde@freebsd.org for providing feedback, reporting bugs
and just using the KDE ports.
Approved by: will (real mentor asleep)
original versions of these ports, so some PORTREVISIONs were bumped. See
http://freebsd.kde.org/ and mailing lists linked to from there for info
on the packages generated to test these ports.
bsd.kde.mk has already been updated a few days ago to work with these.
Some patches applied to fix a few bugs were:
deskutils/kdepim3:
[1] Remove kpilot from build because it wasn't ready at release.
editors/koffice-kde3:
[2] Fix compile time bugs for FreeBSD.
misc/kdeedu3:
[3] Fix compile problem with kvoctrain.
x11/kdebase3:
[4] Fix KDM CPU usage and login bug.
Some caveats:
* All PLISTs are broken for deinstall due to script bug that I
didn't notice until very recently. This will be fixed when I
commit an update tomorrow. These ports should still install
perfectly fine though. They should also deinstall without
giving errors, but will leave directories behind.
* You can't install this with any other version of QT or KDE
already installed. I am not sure the checks are 100% working,
but fixes for these will be forthcoming. This is mainly due
to a policy decision made by kde@ to make QT/KDE ports install
the way the rest of the world expects it to while also still
conforming to FreeBSD's hier(7). For reference on this decision,
please consult the KDE/FreeBSD mailing list archives. This
decision fixes 2-year-old bug reports relating to how we handled
this for KDE2 vs KDE1.
Submitted by: [1] Adrian de Groot <adridg@cs.kun.nl>,
[2] David Faure <faure@kde.org>,
Andy Fawcett <andy@athame.co.uk>
Lauri Watts <lauri@kde.org>
[3] Lauri Watts <lauri@kde.org>
[4] Alan Eldridge <alane@geeksrus.net>
Oswald Buddenhagen <ossi@kde.org>
Reviewed by: kde
* General:
- Support for objprelink.
- Hack for autoconf 2.13/automake 1.4. Note that we can't use
the standard USE_AUTO* because they change things in work/*;
KDE has its own way of doing that.
- Light cleanup of extra dirs in the PLISTs provided by
my mkplistpkg[1] script.
- Speedups of both compile and runtime through the usage of
--disable-debug and --enable-final. The latter did not work
with the kdemultimedia package, unfortunately.
- Patch updates.
* audio/kdemultimedia2:
- Patch to fix KSCD on FreeBSD[2]. It works very well now.
* deskutils/kdepim:
- Enable kpilot[3]. Pull in the latest pilot-link stuff.
* devel/kdesdk,
* devel/kdevelop:
- No specific changes.
* devel/qt-designer:
- Make this port depend almost entirely on qt23 to make it more
maintainable, so I don't have to keep hacking the patches to
get them to apply.
* editors/koffice,
* games/kdegames,
* graphics/kdegraphics:
- No specific changes.
* misc/kdeaddons:
- SDL is required now. Cull SDL PLIST_SUB and such.
- Fix breakage from hardcoding "sdl-config".
* misc/kdeutils2:
- Fix problem with klaptopdaemon[4] where it didn't properly
display the battery time. This patch is untested, but applied.
* net/kdenetwork2:
- Fix DCC for KSIRC[5].
- Remove ktalkd from the build. It requires some weird thing
in the configure script that I don't have time to look at.
* sysutils/kdeadmin:
- No specific changes.
* textproc/kdoc:
- Remove bogus requirement that kdoc requires Perl 5.6.0; it sure
seems to operate fine with >= 5.005. But I'll let time tell.
* www/quanta:
- No specific changes (--disable-debug support only).
* x11/kde2:
- No specific changes.
* x11/kdebase2:
- Fix ksysguard compile by merging the files from the HEAD branch
of KDE CVS that were missing at release time for FreeBSD[6]. :\
* x11/kdelibs2:
- Recognize CUPS' spinoff[7].
- Add libxslt dependency since it was removed from kdelibs.
- Fix libxml compile problems[8] (accomplished by upgrading).
- Remove libkformula from port Makefile; this library has been
spun off into koffice.
- Fix mode problems with DCOP[9]. This allows you to save files
properly. It also seems to be a FreeBSD specific problem.
- Fix bashisms in kdeprint/imagetops script[10].
* x11-clocks/kdetoys2:
- No specific changes.
* x11-toolkits/qt23:
- Do NOT upgrade to QT 2.3.2[11].
- Allow devel/qt-designer to depend on this port entirely for the
patches by adding a perlre to accomplish this.
* x11-wm/kdeartwork:
- No specific changes.
Thanks to the FreeBSD/KDE[1] team[12] who helped me test these out!
[1] http://freebsd.kde.org/;
http://www.databits.net/cgi-bin/cvsweb.cgi/scripts/portbuild/mkplistpkg
[2] Submitted by: Matthew Holmes <matt@speakeasy.net>
[3] PR: 31914
Submitted by: Alan Eldridge <alane@geeksrus.net>
[4] PR: 28475
Submitted by: Arun Sharma <arun@sharmas.dhs.org>
[5] Submitted by: Luc Morin <luc_m@videotron.ca>
[6] Found at: http://webcvs.kde.org/kdebase/ksysguard/ksysguardd/FreeBSD/
[7] PR: 32321
Reported by: gad
Submitted by: James A. Halstead <jah4007@cs.rit.edu>
[8] PR: 32055
Reported by: William Richard <wrichard@trivalley.com>, others
[9] PR: 31629
Submitted by: Alan Eldridge <alane@geeksrus.net>
[10] PR: 32358
Submitted by: Alexander N. Kabaev <ak03@gte.com>
[11] PR: 31809
Requested by: Nathan Ahlstrom <nrahlstr@winternet.com> (denied)
[12] http://freebsd.kde.org/contact.shtml;
http://lists.csociety.org/pipermail/kde-freebsd;
http://lists.csociety.org/listinfo/kde-freebsd
