From 3cf7c3ef441822c889356fd1812ebf2944a59851 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@redcorelinux.org>
Date: Tue, 25 Aug 2020 10:45:55 +0100
Subject: gentoo resync : 25.08.2020

---
 kde-apps/ark/Manifest                              |  9 ++-
 kde-apps/ark/ark-19.12.3.ebuild                    | 84 ---------------------
 kde-apps/ark/ark-20.04.2.ebuild                    | 83 ---------------------
 kde-apps/ark/ark-20.04.3-r1.ebuild                 | 85 ++++++++++++++++++++++
 kde-apps/ark/ark-20.08.0.ebuild                    | 81 +++++++++++++++++++++
 .../ark/files/ark-20.04.3-CVE-2020-16116.patch     | 46 ++++++++++++
 6 files changed, 217 insertions(+), 171 deletions(-)
 delete mode 100644 kde-apps/ark/ark-19.12.3.ebuild
 delete mode 100644 kde-apps/ark/ark-20.04.2.ebuild
 create mode 100644 kde-apps/ark/ark-20.04.3-r1.ebuild
 create mode 100644 kde-apps/ark/ark-20.08.0.ebuild
 create mode 100644 kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch

(limited to 'kde-apps/ark')

diff --git a/kde-apps/ark/Manifest b/kde-apps/ark/Manifest
index bf6f6191e232..1f5f0dc1bfd1 100644
--- a/kde-apps/ark/Manifest
+++ b/kde-apps/ark/Manifest
@@ -1,5 +1,6 @@
-DIST ark-19.12.3.tar.xz 2586112 BLAKE2B c4bde5469dde1ac7cc48b4ecfec260596e2bd3123d9b7c83a5281f45d17675477c2641b708469301e536f04f0e2b469e733c9f95053201682e4af1c2bf378226 SHA512 0f1a155bcfaca1b28b5035943a3d881de89a68c5e8bac156dd1304aa431c5700b6da6dc70e43e82560594bc5aab0ee1d3f3ec50ed4dd15e7f3dd053acbb1a14a
-DIST ark-20.04.2.tar.xz 2587052 BLAKE2B d05e72bd38070376abf1a69ca46c7d5223c3bcfb25469a5b287a2d124c76249c53cd0b5d3923d9f7205a439767acc5cfd443a0dbf8a75cf834df4ea0e43367c6 SHA512 35f0d17655e9a38c4d9ff4d9777a4198416258cb73d368085d8eaa6eb40622a3e8f8573826789fb978794b84519f131f9e0193b8b279598015dcd89597187cb5
-EBUILD ark-19.12.3.ebuild 2247 BLAKE2B 051b5d50521be9f15a1e072171a934db35b7f7baf578824329c5852668f81f104b99516b2561c9982cf5619eba82477fed99599879cd50617b6ad8cee51ba54e SHA512 a331b79aee1a6a9f4f33dc04aba0365cbb10e51693813477c746b27848f663dbb35a899fe629b816839276a2024705264c67d650b75450358f00f50721d602ff
-EBUILD ark-20.04.2.ebuild 2209 BLAKE2B d1caebc22092c59e93a69be415af3a2398b06e5f50bf70bf690ea23fa868e6f5f7b5c1337b56380aaa1acdb6fb8839b5f9bf63de8d3276761b234583be00e4f5 SHA512 49cd98ba4a30b620fb9a0cafac28cd5b9070b1f06a1260d3352b723f61fca995251baba82788861c656db198e2b559e9db58c424657e35bd194a04bfbf904c31
+AUX ark-20.04.3-CVE-2020-16116.patch 1819 BLAKE2B 878e3046b1096bb5c9ec1ba64fcb2350b025f87295350182df435ad05302415ac486c51be39ac4c561d41930998a0b8b0031d5240dbcf085f275375e453eb640 SHA512 953ca28531a92198f9d5e429cea85e2887b88e5132093845c3f52615e7f736b592bea8d80c98a7c198685062ef47efc463e5cecacca5470cf920f00bfc461e41
+DIST ark-20.04.3.tar.xz 2586436 BLAKE2B 98343a4bc91fd13a33ba9dd69487c27433435d4bff722245c2cde02191017f4fa0b2d15213b97a86c3ecd87a17bf59e62a80b63c6684c813845bec9bab58f441 SHA512 6274483bc7cad9b8b3842a622a3f243fd5756aec147624eb9041459efd5c833e203c286412185bb105133d8c83a7503c8c7e519b8cb9cbd13830793c3429e142
+DIST ark-20.08.0.tar.xz 2708180 BLAKE2B 199c668dcf8d4191cd56502a0c7235a5a004ccbf4a4957b021bd1fb1bbe4d51eb60c0687511eaf7ecfcb1c905c20652c5cee694480a90a4ea4124e7af197d4fb SHA512 358a9e181b60e82f34d33efad9f718fa363653752f5e9e465564814a9554745f9708b50a9b39dae95bb9a2f1b88874c6c459862c6283feae6b201b22cdacaacc
+EBUILD ark-20.04.3-r1.ebuild 2259 BLAKE2B 52cf0ce440871bf16f91936bf7164d669358c505112a57391fcf4b73f38d0bc45d67424934e712181a21755b2e7e642d74d7d5ca649d4534f16ca4f78d4a6a2b SHA512 50f97838ce7467483eae5f0d55a5e664f43e48a5598ade916774272b57daa9a2ab10824067935a4a2ffe3a5626634514e5f599a846aea5444d5dd2f379b3dbee
+EBUILD ark-20.08.0.ebuild 2115 BLAKE2B 2a5244e81d79c223c6657934a09fde05894b8da3bb912146d3aa4863900479f04968dc1dee990be57e563299f2d5468a35b19b89f372a071efcf602e7674acb8 SHA512 7ea27350fae6f7eada8f3f1963b1631053f398eb0563c7261eb2763186b0a59f68bb8d4f687006eabde338ba3ad4da79ee58ce05082bf1ff3280231e6a323e53
 MISC metadata.xml 348 BLAKE2B 89cd42a24774f85082d025bc18402e0d4a36e07ab62155b67474a14c7294de3875d078167521f6cc4496f97f311de9264ff8c41e78477101a80d0ae2a034dcaf SHA512 447d60adfaec4e52c25d7a61a281b8b044c9a786a0600b8a8260a150f6842047f45b981aabb75e56255d05a918370113f6d2552fec1b88f661141453e003c472
diff --git a/kde-apps/ark/ark-19.12.3.ebuild b/kde-apps/ark/ark-19.12.3.ebuild
deleted file mode 100644
index 53fc4c087280..000000000000
--- a/kde-apps/ark/ark-19.12.3.ebuild
+++ /dev/null
@@ -1,84 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-ECM_HANDBOOK="forceoptional"
-ECM_TEST="optional"
-KFMIN=5.63.0
-QTMIN=5.12.3
-VIRTUALX_REQUIRED="test"
-inherit ecm kde.org
-
-DESCRIPTION="KDE Archiving tool"
-HOMEPAGE="https://kde.org/applications/utilities/org.kde.ark
-https://utils.kde.org/projects/ark/"
-
-LICENSE="GPL-2" # TODO: CHECK
-SLOT="5"
-KEYWORDS="amd64 arm64 ~ppc64 x86"
-IUSE="bzip2 lzma zip"
-
-BDEPEND="
-	sys-devel/gettext
-"
-RDEPEND="
-	>=kde-frameworks/karchive-${KFMIN}:5
-	>=kde-frameworks/kcompletion-${KFMIN}:5
-	>=kde-frameworks/kconfig-${KFMIN}:5
-	>=kde-frameworks/kconfigwidgets-${KFMIN}:5
-	>=kde-frameworks/kcoreaddons-${KFMIN}:5
-	>=kde-frameworks/kcrash-${KFMIN}:5
-	>=kde-frameworks/kdbusaddons-${KFMIN}:5
-	>=kde-frameworks/ki18n-${KFMIN}:5
-	>=kde-frameworks/kiconthemes-${KFMIN}:5
-	>=kde-frameworks/kio-${KFMIN}:5
-	>=kde-frameworks/kitemmodels-${KFMIN}:5
-	>=kde-frameworks/kjobwidgets-${KFMIN}:5
-	>=kde-frameworks/kparts-${KFMIN}:5
-	>=kde-frameworks/kpty-${KFMIN}:5
-	>=kde-frameworks/kservice-${KFMIN}:5
-	>=kde-frameworks/kwidgetsaddons-${KFMIN}:5
-	>=kde-frameworks/kxmlgui-${KFMIN}:5
-	>=dev-qt/qtdbus-${QTMIN}:5
-	>=dev-qt/qtgui-${QTMIN}:5
-	>=dev-qt/qtwidgets-${QTMIN}:5
-	app-arch/libarchive:=[bzip2?,lzma?,zlib]
-	sys-libs/zlib
-	zip? ( >=dev-libs/libzip-1.2.0:= )
-"
-DEPEND="${RDEPEND}
-	>=dev-qt/qtconcurrent-${QTMIN}:5
-"
-
-# bug #560548, last checked with 16.04.1
-RESTRICT+=" test"
-
-src_configure() {
-	local mycmakeargs=(
-		$(cmake_use_find_package bzip2 BZip2)
-		$(cmake_use_find_package lzma LibLZMA)
-		$(cmake_use_find_package zip LibZip)
-	)
-
-	ecm_src_configure
-}
-
-pkg_postinst() {
-	ecm_pkg_postinst
-
-	if [[ -z "${REPLACING_VERSIONS}" ]]; then
-		if ! has_version app-arch/rar; then
-			elog "For creating/extracting rar archives, installing app-arch/rar is required."
-			if ! has_version app-arch/unar && ! has_version app-arch/unrar; then
-				elog "Alternatively, for only extracting rar archives, install app-arch/unar (free) or app-arch/unrar (non-free)."
-			fi
-		fi
-
-		has_version app-arch/p7zip || \
-			elog "For handling 7-Zip archives, install app-arch/p7zip."
-
-		has_version app-arch/lrzip || \
-			elog "For handling lrz archives, install app-arch/lrzip."
-	fi
-}
diff --git a/kde-apps/ark/ark-20.04.2.ebuild b/kde-apps/ark/ark-20.04.2.ebuild
deleted file mode 100644
index 591751626232..000000000000
--- a/kde-apps/ark/ark-20.04.2.ebuild
+++ /dev/null
@@ -1,83 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-ECM_HANDBOOK="forceoptional"
-ECM_TEST="optional"
-KFMIN=5.70.0
-QTMIN=5.14.1
-VIRTUALX_REQUIRED="test"
-inherit ecm kde.org
-
-DESCRIPTION="KDE Archiving tool"
-HOMEPAGE="https://kde.org/applications/utilities/org.kde.ark
-https://utils.kde.org/projects/ark/"
-
-LICENSE="GPL-2" # TODO: CHECK
-SLOT="5"
-KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"
-IUSE="bzip2 lzma zip"
-
-BDEPEND="
-	sys-devel/gettext
-"
-RDEPEND="
-	app-arch/libarchive:=[bzip2?,lzma?,zlib]
-	>=dev-qt/qtdbus-${QTMIN}:5
-	>=dev-qt/qtgui-${QTMIN}:5
-	>=dev-qt/qtwidgets-${QTMIN}:5
-	>=kde-frameworks/karchive-${KFMIN}:5
-	>=kde-frameworks/kcompletion-${KFMIN}:5
-	>=kde-frameworks/kconfig-${KFMIN}:5
-	>=kde-frameworks/kconfigwidgets-${KFMIN}:5
-	>=kde-frameworks/kcoreaddons-${KFMIN}:5
-	>=kde-frameworks/kcrash-${KFMIN}:5
-	>=kde-frameworks/kdbusaddons-${KFMIN}:5
-	>=kde-frameworks/ki18n-${KFMIN}:5
-	>=kde-frameworks/kio-${KFMIN}:5
-	>=kde-frameworks/kitemmodels-${KFMIN}:5
-	>=kde-frameworks/kjobwidgets-${KFMIN}:5
-	>=kde-frameworks/kparts-${KFMIN}:5
-	>=kde-frameworks/kpty-${KFMIN}:5
-	>=kde-frameworks/kservice-${KFMIN}:5
-	>=kde-frameworks/kwidgetsaddons-${KFMIN}:5
-	>=kde-frameworks/kxmlgui-${KFMIN}:5
-	sys-libs/zlib
-	zip? ( >=dev-libs/libzip-1.2.0:= )
-"
-DEPEND="${RDEPEND}
-	>=dev-qt/qtconcurrent-${QTMIN}:5
-"
-
-# bug #560548, last checked with 16.04.1
-RESTRICT+=" test"
-
-src_configure() {
-	local mycmakeargs=(
-		$(cmake_use_find_package bzip2 BZip2)
-		$(cmake_use_find_package lzma LibLZMA)
-		$(cmake_use_find_package zip LibZip)
-	)
-
-	ecm_src_configure
-}
-
-pkg_postinst() {
-	ecm_pkg_postinst
-
-	if [[ -z "${REPLACING_VERSIONS}" ]]; then
-		if ! has_version app-arch/rar; then
-			elog "For creating/extracting rar archives, installing app-arch/rar is required."
-			if ! has_version app-arch/unar && ! has_version app-arch/unrar; then
-				elog "Alternatively, for only extracting rar archives, install app-arch/unar (free) or app-arch/unrar (non-free)."
-			fi
-		fi
-
-		has_version app-arch/p7zip || \
-			elog "For handling 7-Zip archives, install app-arch/p7zip."
-
-		has_version app-arch/lrzip || \
-			elog "For handling lrz archives, install app-arch/lrzip."
-	fi
-}
diff --git a/kde-apps/ark/ark-20.04.3-r1.ebuild b/kde-apps/ark/ark-20.04.3-r1.ebuild
new file mode 100644
index 000000000000..a06c99dee9c0
--- /dev/null
+++ b/kde-apps/ark/ark-20.04.3-r1.ebuild
@@ -0,0 +1,85 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+ECM_HANDBOOK="forceoptional"
+ECM_TEST="optional"
+KFMIN=5.70.0
+QTMIN=5.14.2
+VIRTUALX_REQUIRED="test"
+inherit ecm kde.org
+
+DESCRIPTION="KDE Archiving tool"
+HOMEPAGE="https://kde.org/applications/utilities/org.kde.ark
+https://utils.kde.org/projects/ark/"
+
+LICENSE="GPL-2" # TODO: CHECK
+SLOT="5"
+KEYWORDS="amd64 arm64 ~ppc64 x86"
+IUSE="bzip2 lzma zip"
+
+BDEPEND="
+	sys-devel/gettext
+"
+RDEPEND="
+	app-arch/libarchive:=[bzip2?,lzma?,zlib]
+	>=dev-qt/qtdbus-${QTMIN}:5
+	>=dev-qt/qtgui-${QTMIN}:5
+	>=dev-qt/qtwidgets-${QTMIN}:5
+	>=kde-frameworks/karchive-${KFMIN}:5
+	>=kde-frameworks/kcompletion-${KFMIN}:5
+	>=kde-frameworks/kconfig-${KFMIN}:5
+	>=kde-frameworks/kconfigwidgets-${KFMIN}:5
+	>=kde-frameworks/kcoreaddons-${KFMIN}:5
+	>=kde-frameworks/kcrash-${KFMIN}:5
+	>=kde-frameworks/kdbusaddons-${KFMIN}:5
+	>=kde-frameworks/ki18n-${KFMIN}:5
+	>=kde-frameworks/kio-${KFMIN}:5
+	>=kde-frameworks/kitemmodels-${KFMIN}:5
+	>=kde-frameworks/kjobwidgets-${KFMIN}:5
+	>=kde-frameworks/kparts-${KFMIN}:5
+	>=kde-frameworks/kpty-${KFMIN}:5
+	>=kde-frameworks/kservice-${KFMIN}:5
+	>=kde-frameworks/kwidgetsaddons-${KFMIN}:5
+	>=kde-frameworks/kxmlgui-${KFMIN}:5
+	sys-libs/zlib
+	zip? ( >=dev-libs/libzip-1.2.0:= )
+"
+DEPEND="${RDEPEND}
+	>=dev-qt/qtconcurrent-${QTMIN}:5
+"
+
+# bug #560548, last checked with 16.04.1
+RESTRICT+=" test"
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2020-16116.patch" )
+
+src_configure() {
+	local mycmakeargs=(
+		$(cmake_use_find_package bzip2 BZip2)
+		$(cmake_use_find_package lzma LibLZMA)
+		$(cmake_use_find_package zip LibZip)
+	)
+
+	ecm_src_configure
+}
+
+pkg_postinst() {
+	ecm_pkg_postinst
+
+	if [[ -z "${REPLACING_VERSIONS}" ]]; then
+		if ! has_version app-arch/rar; then
+			elog "For creating/extracting rar archives, installing app-arch/rar is required."
+			if ! has_version app-arch/unar && ! has_version app-arch/unrar; then
+				elog "Alternatively, for only extracting rar archives, install app-arch/unar (free) or app-arch/unrar (non-free)."
+			fi
+		fi
+
+		has_version app-arch/p7zip || \
+			elog "For handling 7-Zip archives, install app-arch/p7zip."
+
+		has_version app-arch/lrzip || \
+			elog "For handling lrz archives, install app-arch/lrzip."
+	fi
+}
diff --git a/kde-apps/ark/ark-20.08.0.ebuild b/kde-apps/ark/ark-20.08.0.ebuild
new file mode 100644
index 000000000000..5d72416268b7
--- /dev/null
+++ b/kde-apps/ark/ark-20.08.0.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+ECM_HANDBOOK="forceoptional"
+ECM_TEST="optional"
+KFMIN=5.72.0
+QTMIN=5.14.2
+VIRTUALX_REQUIRED="test"
+inherit ecm kde.org
+
+DESCRIPTION="KDE Archiving tool"
+HOMEPAGE="https://kde.org/applications/utilities/org.kde.ark
+https://utils.kde.org/projects/ark/"
+
+LICENSE="GPL-2" # TODO: CHECK
+SLOT="5"
+KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"
+IUSE="zip"
+
+BDEPEND="
+	sys-devel/gettext
+"
+RDEPEND="
+	app-arch/libarchive:=[bzip2,lzma,zlib]
+	>=dev-qt/qtdbus-${QTMIN}:5
+	>=dev-qt/qtgui-${QTMIN}:5
+	>=dev-qt/qtwidgets-${QTMIN}:5
+	>=kde-frameworks/karchive-${KFMIN}:5
+	>=kde-frameworks/kcompletion-${KFMIN}:5
+	>=kde-frameworks/kconfig-${KFMIN}:5
+	>=kde-frameworks/kconfigwidgets-${KFMIN}:5
+	>=kde-frameworks/kcoreaddons-${KFMIN}:5
+	>=kde-frameworks/kcrash-${KFMIN}:5
+	>=kde-frameworks/kdbusaddons-${KFMIN}:5
+	>=kde-frameworks/ki18n-${KFMIN}:5
+	>=kde-frameworks/kio-${KFMIN}:5
+	>=kde-frameworks/kitemmodels-${KFMIN}:5
+	>=kde-frameworks/kjobwidgets-${KFMIN}:5
+	>=kde-frameworks/kparts-${KFMIN}:5
+	>=kde-frameworks/kpty-${KFMIN}:5
+	>=kde-frameworks/kservice-${KFMIN}:5
+	>=kde-frameworks/kwidgetsaddons-${KFMIN}:5
+	>=kde-frameworks/kxmlgui-${KFMIN}:5
+	sys-libs/zlib
+	zip? ( >=dev-libs/libzip-1.2.0:= )
+"
+DEPEND="${RDEPEND}
+	>=dev-qt/qtconcurrent-${QTMIN}:5
+"
+
+# bug #560548, last checked with 16.04.1
+RESTRICT+=" test"
+
+src_configure() {
+	local mycmakeargs=(
+		$(cmake_use_find_package zip LibZip)
+	)
+
+	ecm_src_configure
+}
+
+pkg_postinst() {
+	ecm_pkg_postinst
+
+	if [[ -z "${REPLACING_VERSIONS}" ]]; then
+		if ! has_version app-arch/rar; then
+			elog "For creating/extracting rar archives, installing app-arch/rar is required."
+			if ! has_version app-arch/unar && ! has_version app-arch/unrar; then
+				elog "Alternatively, for only extracting rar archives, install app-arch/unar (free) or app-arch/unrar (non-free)."
+			fi
+		fi
+
+		has_version app-arch/p7zip || \
+			elog "For handling 7-Zip archives, install app-arch/p7zip."
+
+		has_version app-arch/lrzip || \
+			elog "For handling lrz archives, install app-arch/lrzip."
+	fi
+}
diff --git a/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch b/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch
new file mode 100644
index 000000000000..79129c7be6e1
--- /dev/null
+++ b/kde-apps/ark/files/ark-20.04.3-CVE-2020-16116.patch
@@ -0,0 +1,46 @@
+From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001
+From: Elvis Angelaccio <elvis.angelaccio@kde.org>
+Date: Wed, 29 Jul 2020 23:45:30 +0200
+Subject: [PATCH] Fix vulnerability to path traversal attacks
+
+Ark was vulnerable to directory traversal attacks because of
+missing validation of file paths in the archive.
+
+More details about this attack are available at:
+https://github.com/snyk/zip-slip-vulnerability
+
+Job::onEntry() is the only place where we can safely check the path of
+every entry in the archive. There shouldn't be a valid reason
+to have a "../" in an archive path, so we can just play safe and abort
+the LoadJob if we detect such an entry. This makes impossibile to
+extract this kind of malicious archives and perform the attack.
+
+Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath()
+so that we can still allow loading of legitimate archives that
+contain "../" in their paths but still resolve inside the extraction folder.
+---
+ kerfuffle/jobs.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp
+index fdaa48695..f73b56f86 100644
+--- a/kerfuffle/jobs.cpp
++++ b/kerfuffle/jobs.cpp
+@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details)
+ 
+ void Job::onEntry(Archive::Entry *entry)
+ {
++    const QString entryFullPath = entry->fullPath();
++    if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
++        qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
++        onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
++        onFinished(false);
++        return;
++    }
++
+     emit newEntry(entry);
+ }
+ 
+-- 
+GitLab
+
-- 
cgit v1.2.3