First published: Tue Sep 01 2020(Updated: )
Fabian Vogt discovered that Ark incorrectly handled symbolic links in tar archive files. An attacker could use this to construct a malicious tar archive that, when opened, would create files outside the extraction directory.
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
ubuntu/ark | <4:19.12.3-0ubuntu1.2 | 4:19.12.3-0ubuntu1.2 |
=20.04 | ||
All of | ||
ubuntu/ark | <4:17.12.3-0ubuntu1.2 | 4:17.12.3-0ubuntu1.2 |
=18.04 | ||
All of | ||
ubuntu/ark | <4:15.12.3-0ubuntu1.2 | 4:15.12.3-0ubuntu1.2 |
=16.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is USN-4482-1.
The title of the vulnerability is 'Ark vulnerability'.
The vulnerability was discovered by Fabian Vogt.
The vulnerability allows an attacker to create files outside the extraction directory.
To fix the vulnerability, update the Ark package to version 4:19.12.3-0ubuntu1.2 for Ubuntu 20.04, version 4:17.12.3-0ubuntu1.2 for Ubuntu 18.04, or version 4:15.12.3-0ubuntu1.2 for Ubuntu 16.04.