gentoo resync : 25.08.2020

4 files changed, 63 insertions, 17 deletions

diff --git a/kde-apps/ark/Manifest b/kde-apps/ark/Manifest
index bf6f6191e232..1f5f0dc1bfd1 100644
--- a/kde-apps/ark/Manifest
+++ b/kde-apps/ark/Manifest
@@ -1,5 +1,6 @@
-DIST ark-19.12.3.tar.xz 2586112 BLAKE2B c4bde5469dde1ac7cc48b4ecfec260596e2bd3123d9b7c83a5281f45d17675477c2641b708469301e536f04f0e2b469e733c9f95053201682e4af1c2bf378226 SHA512 0f1a155bcfaca1b28b5035943a3d881de89a68c5e8bac156dd1304aa431c5700b6da6dc70e43e82560594bc5aab0ee1d3f3ec50ed4dd15e7f3dd053acbb1a14a
-DIST ark-20.04.2.tar.xz 2587052 BLAKE2B d05e72bd38070376abf1a69ca46c7d5223c3bcfb25469a5b287a2d124c76249c53cd0b5d3923d9f7205a439767acc5cfd443a0dbf8a75cf834df4ea0e43367c6 SHA512 35f0d17655e9a38c4d9ff4d9777a4198416258cb73d368085d8eaa6eb40622a3e8f8573826789fb978794b84519f131f9e0193b8b279598015dcd89597187cb5
-EBUILD ark-19.12.3.ebuild 2247 BLAKE2B 051b5d50521be9f15a1e072171a934db35b7f7baf578824329c5852668f81f104b99516b2561c9982cf5619eba82477fed99599879cd50617b6ad8cee51ba54e SHA512 a331b79aee1a6a9f4f33dc04aba0365cbb10e51693813477c746b27848f663dbb35a899fe629b816839276a2024705264c67d650b75450358f00f50721d602ff
-EBUILD ark-20.04.2.ebuild 2209 BLAKE2B d1caebc22092c59e93a69be415af3a2398b06e5f50bf70bf690ea23fa868e6f5f7b5c1337b56380aaa1acdb6fb8839b5f9bf63de8d3276761b234583be00e4f5 SHA512 49cd98ba4a30b620fb9a0cafac28cd5b9070b1f06a1260d3352b723f61fca995251baba82788861c656db198e2b559e9db58c424657e35bd194a04bfbf904c31
+AUX ark-20.04.3-CVE-2020-16116.patch 1819 BLAKE2B 878e3046b1096bb5c9ec1ba64fcb2350b025f87295350182df435ad05302415ac486c51be39ac4c561d41930998a0b8b0031d5240dbcf085f275375e453eb640 SHA512 953ca28531a92198f9d5e429cea85e2887b88e5132093845c3f52615e7f736b592bea8d80c98a7c198685062ef47efc463e5cecacca5470cf920f00bfc461e41
+DIST ark-20.04.3.tar.xz 2586436 BLAKE2B 98343a4bc91fd13a33ba9dd69487c27433435d4bff722245c2cde02191017f4fa0b2d15213b97a86c3ecd87a17bf59e62a80b63c6684c813845bec9bab58f441 SHA512 6274483bc7cad9b8b3842a622a3f243fd5756aec147624eb9041459efd5c833e203c286412185bb105133d8c83a7503c8c7e519b8cb9cbd13830793c3429e142
+DIST ark-20.08.0.tar.xz 2708180 BLAKE2B 199c668dcf8d4191cd56502a0c7235a5a004ccbf4a4957b021bd1fb1bbe4d51eb60c0687511eaf7ecfcb1c905c20652c5cee694480a90a4ea4124e7af197d4fb SHA512 358a9e181b60e82f34d33efad9f718fa363653752f5e9e465564814a9554745f9708b50a9b39dae95bb9a2f1b88874c6c459862c6283feae6b201b22cdacaacc
+EBUILD ark-20.04.3-r1.ebuild 2259 BLAKE2B 52cf0ce440871bf16f91936bf7164d669358c505112a57391fcf4b73f38d0bc45d67424934e712181a21755b2e7e642d74d7d5ca649d4534f16ca4f78d4a6a2b SHA512 50f97838ce7467483eae5f0d55a5e664f43e48a5598ade916774272b57daa9a2ab10824067935a4a2ffe3a5626634514e5f599a846aea5444d5dd2f379b3dbee
+EBUILD ark-20.08.0.ebuild 2115 BLAKE2B 2a5244e81d79c223c6657934a09fde05894b8da3bb912146d3aa4863900479f04968dc1dee990be57e563299f2d5468a35b19b89f372a071efcf602e7674acb8 SHA512 7ea27350fae6f7eada8f3f1963b1631053f398eb0563c7261eb2763186b0a59f68bb8d4f687006eabde338ba3ad4da79ee58ce05082bf1ff3280231e6a323e53
 MISC metadata.xml 348 BLAKE2B 89cd42a24774f85082d025bc18402e0d4a36e07ab62155b67474a14c7294de3875d078167521f6cc4496f97f311de9264ff8c41e78477101a80d0ae2a034dcaf SHA512 447d60adfaec4e52c25d7a61a281b8b044c9a786a0600b8a8260a150f6842047f45b981aabb75e56255d05a918370113f6d2552fec1b88f661141453e003c472
diff --git a/kde-apps/ark/ark-19.12.3.ebuild b/kde-apps/ark/ark-20.04.3-r1.ebuild
index 53fc4c087280..a06c99dee9c0 100644
--- a/kde-apps/ark/ark-19.12.3.ebuild
+++ b/kde-apps/ark/ark-20.04.3-r1.ebuild
@@ -5,8 +5,8 @@ EAPI=7
 
 ECM_HANDBOOK="forceoptional"
 ECM_TEST="optional"
-KFMIN=5.63.0
-QTMIN=5.12.3
+KFMIN=5.70.0
+QTMIN=5.14.2
 VIRTUALX_REQUIRED="test"
 inherit ecm kde.org
 
@@ -23,6 +23,10 @@ BDEPEND="
 	sys-devel/gettext
 "
 RDEPEND="
+	app-arch/libarchive:=[bzip2?,lzma?,zlib]
+	>=dev-qt/qtdbus-${QTMIN}:5
+	>=dev-qt/qtgui-${QTMIN}:5
+	>=dev-qt/qtwidgets-${QTMIN}:5
 	>=kde-frameworks/karchive-${KFMIN}:5
 	>=kde-frameworks/kcompletion-${KFMIN}:5
 	>=kde-frameworks/kconfig-${KFMIN}:5
@@ -31,7 +35,6 @@ RDEPEND="
 	>=kde-frameworks/kcrash-${KFMIN}:5
 	>=kde-frameworks/kdbusaddons-${KFMIN}:5
 	>=kde-frameworks/ki18n-${KFMIN}:5
-	>=kde-frameworks/kiconthemes-${KFMIN}:5
 	>=kde-frameworks/kio-${KFMIN}:5
 	>=kde-frameworks/kitemmodels-${KFMIN}:5
 	>=kde-frameworks/kjobwidgets-${KFMIN}:5
@@ -40,10 +43,6 @@ RDEPEND="
 	>=kde-frameworks/kservice-${KFMIN}:5
 	>=kde-frameworks/kwidgetsaddons-${KFMIN}:5
 	>=kde-frameworks/kxmlgui-${KFMIN}:5
-	>=dev-qt/qtdbus-${QTMIN}:5
-	>=dev-qt/qtgui-${QTMIN}:5
-	>=dev-qt/qtwidgets-${QTMIN}:5
-	app-arch/libarchive:=[bzip2?,lzma?,zlib]
 	sys-libs/zlib
 	zip? ( >=dev-libs/libzip-1.2.0:= )
 "
@@ -54,6 +53,8 @@ DEPEND="${RDEPEND}
 # bug #560548, last checked with 16.04.1
 RESTRICT+=" test"
 
+PATCHES=( "${FILESDIR}/${P}-CVE-2020-16116.patch" )
+
 src_configure() {
 	local mycmakeargs=(
 		$(cmake_use_find_package bzip2 BZip2)
diff --git a/kde-apps/ark/ark-20.04.2.ebuild b/kde-apps/ark/ark-20.08.0.ebuild
index 591751626232..5d72416268b7 100644
--- a/kde-apps/ark/ark-20.04.2.ebuild
+++ b/kde-apps/ark/ark-20.08.0.ebuild
@@ -5,8 +5,8 @@ EAPI=7
 
 ECM_HANDBOOK="forceoptional"
 ECM_TEST="optional"
-KFMIN=5.70.0
-QTMIN=5.14.1
+KFMIN=5.72.0
+QTMIN=5.14.2
 VIRTUALX_REQUIRED="test"
 inherit ecm kde.org
 
@@ -17,13 +17,13 @@ https://utils.kde.org/projects/ark/"
 LICENSE="GPL-2" # TODO: CHECK
 SLOT="5"
 KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"
-IUSE="bzip2 lzma zip"
+IUSE="zip"
 
 BDEPEND="
 	sys-devel/gettext
 "
 RDEPEND="
-	app-arch/libarchive:=[bzip2?,lzma?,zlib]
+	app-arch/libarchive:=[bzip2,lzma,zlib]
 	>=dev-qt/qtdbus-${QTMIN}:5
 	>=dev-qt/qtgui-${QTMIN}:5
 	>=dev-qt/qtwidgets-${QTMIN}:5
@@ -55,8 +55,6 @@ RESTRICT+=" test"
 
 src_configure() {
 	local mycmakeargs=(
-		$(cmake_use_find_package bzip2 BZip2)
-		$(cmake_use_find_package lzma LibLZMA)
 		$(cmake_use_find_package zip LibZip)
 	)
 
diff --git a/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch b/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch
new file mode 100644
index 000000000000..79129c7be6e1
--- /dev/null
+++ b/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch
@@ -0,0 +1,46 @@
+From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001
+From: Elvis Angelaccio <elvis.angelaccio@kde.org>
+Date: Wed, 29 Jul 2020 23:45:30 +0200
+Subject: [PATCH] Fix vulnerability to path traversal attacks
+
+Ark was vulnerable to directory traversal attacks because of
+missing validation of file paths in the archive.
+
+More details about this attack are available at:
+https://github.com/snyk/zip-slip-vulnerability
+
+Job::onEntry() is the only place where we can safely check the path of
+every entry in the archive. There shouldn't be a valid reason
+to have a "../" in an archive path, so we can just play safe and abort
+the LoadJob if we detect such an entry. This makes impossibile to
+extract this kind of malicious archives and perform the attack.
+
+Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath()
+so that we can still allow loading of legitimate archives that
+contain "../" in their paths but still resolve inside the extraction folder.
+---
+ kerfuffle/jobs.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp
+index fdaa48695..f73b56f86 100644
+--- a/kerfuffle/jobs.cpp
++++ b/kerfuffle/jobs.cpp
+@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details)
+ 
+ void Job::onEntry(Archive::Entry *entry)
+ {
++    const QString entryFullPath = entry->fullPath();
++    if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
++        qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
++        onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
++        onFinished(false);
++        return;
++    }
++
+     emit newEntry(entry);
+ }
+ 
+-- 
+GitLab
+