CVE-2020-16116

NameCVE-2020-16116
DescriptionIn kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3015-1, DSA-4738-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ark (PTS)buster, buster (security)4:18.08.3-1+deb10u2fixed
bullseye4:20.12.2-1fixed
bookworm, sid4:22.12.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
arksourcestretch4:16.08.3-2+deb9u1DLA-3015-1
arksourcebuster4:18.08.3-1+deb10u1DSA-4738-1
arksource(unstable)4:20.04.3-1

Notes

https://kde.org/info/security/advisory-20200730-1.txt
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
Search for package or bug name: Reporting problems