Submitted By: Bruce Dubbs (bdubbs at linuxfromscratch dot org)
Date: 2020-08-28
Initial Package Version: ark-20.08.0
Origin: https://invent.kde.org/utilities/ark/-/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
Upstream Status: Committed
Description: A maliciously crafted TAR archive with symlinks can 
             install files outside the extraction directory.

diff -Naur ark-20.08.0.orig/plugins/libarchive/libarchiveplugin.cpp ark-20.08.0/plugins/libarchive/libarchiveplugin.cpp
--- ark-20.08.0.orig/plugins/libarchive/libarchiveplugin.cpp    2020-08-05 02:53:26.000000000 -0500
+++ ark-20.08.0/plugins/libarchive/libarchiveplugin.cpp 2020-08-28 12:46:09.307464120 -0500
@@ -509,21 +509,9 @@
 
 int LibarchivePlugin::extractionFlags() const
 {
-    int result = ARCHIVE_EXTRACT_TIME;
-    result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
-
-    // TODO: Don't use arksettings here
-    /*if ( ArkSettings::preservePerms() )
-    {
-        result &= ARCHIVE_EXTRACT_PERM;
-    }
-
-    if ( !ArkSettings::extractOverwrite() )
-    {
-        result &= ARCHIVE_EXTRACT_NO_OVERWRITE;
-    }*/
-
-    return result;
+    return ARCHIVE_EXTRACT_TIME
+               | ARCHIVE_EXTRACT_SECURE_NODOTDOT
+               | ARCHIVE_EXTRACT_SECURE_SYMLINKS;
 }
 
 void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress)