CVE:
https://kde.org/info/security/advisory-20200730-1.txt
Niektóre dystrybucje już załatały aktualizując Ark do wersji 20.08.0 lub tak jak Arch Linux nakładając patch na starszą wersję:
Commit na GitLabie KDE:
Przykładowy exploit:
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip
Scanning the drive for archives:
1 file, 128 bytes (1 KiB)
Listing archive: /tmp/relative2.zip
--
Path = /tmp/relative2.zip
Type = zip
Physical Size = 128
----------
Path = tmp/../../moo
Folder = -
Size = 4
Packed Size = 4
Modified = 2018-06-07 19:39:54
Created =
Accessed =
Attributes = _ -rw-r--r--
Encrypted = -
Comment =
CRC = A933E2A9
Method = Store
Host OS = Unix
Version = 10
Volume Index = 0