ark: maliciously crafted archive can install files anywhere in the user's home directory (CVE-2020-16116)
In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.
Reference:
https://kde.org/info/security/advisory-20200730-1.txt
Patch:
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
Affected branches:
-
master -
3.12-stable