This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsaid="202008-03">
<title>Ark: Arbitrary code execution</title>
<synopsis>Ark was found to allow arbitrary file overwrite, possibly allowing
arbitrary code execution.
</synopsis>
<producttype="ebuild">ark</product>
<announced>2020-08-08</announced>
<revisedcount="1">2020-08-08</revised>
<bug>734622</bug>
<access>remote</access>
<affected>
<packagename="kde-apps/ark"auto="yes"arch="*">
<unaffectedrange="ge">20.04.3-r1</unaffected>
<vulnerablerange="lt">20.04.3-r1</vulnerable>
</package>
</affected>
<background>
<p>Ark is a graphical file compression/decompression utility with support
for multiple formats.
</p>
</background>
<description>
<p>A maliciously crafted archive with “../” in the file path(s) could
install files anywhere in the user’s home directory upon extraction.
</p>
</description>
<impacttype="normal">
<p>A remote attacker could entice a user to open a specially crafted
archive using Ark, possibly resulting in execution of arbitrary code with
the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>Avoid opening untrusted archives.</p>
</workaround>
<resolution>
<p>All Ark users should upgrade to the latest version:</p>