CVE-2020-24654

Name of the Vulnerable Software and Affected Versions: KDE Ark versions prior to 20.08.1

Description: The issue is related to the emitEntryFromArchiveEntry function in libarchiveplugin.cpp of the Ark archiver, which incorrectly defines a link before accessing a file. This can be exploited by a remote attacker using a specially crafted tar archive, potentially allowing them to impact data integrity. The vulnerability can be used to install files outside the extraction directory, as demonstrated by a write operation to a user's home directory.

Recommendations: For versions prior to 20.08.1, update to version 20.08.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of tar archives with symlinks until a patch is applied. Restrict access to sensitive directories to minimize the risk of exploitation.