CVE-2020-16116

Name of the Vulnerable Software and Affected Versions KDE Ark versions prior to 20.08.0

Description The issue is related to the Job::onEntry function in jobs.cpp of the KDE Ark archiver, which is associated with incorrect path name restrictions. This can allow a remote attacker to compromise the integrity of protected information. The vulnerability can be exploited by a crafted archive, enabling the installation of files outside the extraction directory via ../ directory traversal. This problem is also observed when extracting archives in the Dolphin file manager, which utilizes Ark's functionality. The issue is similar to the well-known Zip Slip problem.

Recommendations For KDE Ark versions prior to 20.08.0, update to version 20.08.0 or later to resolve the issue. As a temporary workaround, consider disabling the extraction of archives in the Dolphin file manager and avoid using the ../ directory traversal in archive files until the issue is resolved. Restrict access to the vulnerable kerfuffle/jobs.cpp file to minimize the risk of exploitation. Avoid using the Job::onEntry function in the affected jobs.cpp file until a patch is available.