Version in base suite: 22.12.3-1 Base version: ark_22.12.3-1 Target version: ark_22.12.3-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/ark/ark_22.12.3-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/a/ark/ark_22.12.3-1+deb12u1.dsc changelog | 6 ++++ patches/CVE-2024-57966.patch | 55 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 62 insertions(+) gpgv: Signature made Mon Oct 13 15:23:31 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpswm_dx57/ark_22.12.3-1+deb12u1.dsc: no acceptable signature found diff -Nru ark-22.12.3/debian/changelog ark-22.12.3/debian/changelog --- ark-22.12.3/debian/changelog 2023-03-01 10:57:41.000000000 +0000 +++ ark-22.12.3/debian/changelog 2025-10-12 22:06:40.000000000 +0000 @@ -1,3 +1,9 @@ +ark (4:22.12.3-1+deb12u1) bookworm-security; urgency=medium + + * CVE-2024-57966 (Closes: #1106104) + + -- Moritz Mühlenhoff Mon, 13 Oct 2025 00:06:40 +0200 + ark (4:22.12.3-1) unstable; urgency=medium [ Aurélien COUDERC ] diff -Nru ark-22.12.3/debian/patches/CVE-2024-57966.patch ark-22.12.3/debian/patches/CVE-2024-57966.patch --- ark-22.12.3/debian/patches/CVE-2024-57966.patch 1970-01-01 00:00:00.000000000 +0000 +++ ark-22.12.3/debian/patches/CVE-2024-57966.patch 2025-10-12 22:06:40.000000000 +0000 @@ -0,0 +1,55 @@ +From fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58 Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Thu, 7 Nov 2024 14:47:26 +0100 +Subject: [PATCH] Treat absolute paths as relative paths during extraction + +--- ark-22.12.3.orig/autotests/kerfuffle/extracttest.cpp ++++ ark-22.12.3/autotests/kerfuffle/extracttest.cpp +@@ -398,6 +398,10 @@ void ExtractTest::testExtraction_data() + << optionsPreservePaths + << 6; + ++ // Test tarball with leading /, i.e. here /tmp/testfile instead of tmp/testfile ++ archivePath = QFINDTESTDATA("data/absolutepath.tar.xz"); ++ setupRow("extract all entries from a tar archive with absolute path", archivePath, QList(), optionsPreservePaths, 2); ++ + archivePath = QFINDTESTDATA("data/hello-1.0-x86_64.AppImage"); + QTest::newRow("extract all entries from an AppImage with path") + << archivePath +--- ark-22.12.3.orig/plugins/libarchive/libarchiveplugin.cpp ++++ ark-22.12.3/plugins/libarchive/libarchiveplugin.cpp +@@ -295,6 +295,11 @@ bool LibarchivePlugin::extractFiles(cons + entryName.remove(0, 1); + } + ++ // If this ends up empty (e.g. from // or ./), convert to ".". ++ if (entryName.isEmpty()) { ++ entryName = QStringLiteral("."); ++ } ++ + // Should the entry be extracted? + if (extractAll || + remainingFiles.contains(entryName) || +@@ -309,10 +314,13 @@ bool LibarchivePlugin::extractFiles(cons + continue; + } + ++ // Make sure libarchive uses the same path as we expect, based on transformations and renames, ++ qCDebug(ARK) << "setting path to " << entryName; ++ archive_entry_copy_pathname(entry, QFile::encodeName(entryName).constData()); ++ + // entryFI is the fileinfo pointing to where the file will be + // written from the archive. + QFileInfo entryFI(entryName); +- //qCDebug(ARK) << "setting path to " << archive_entry_pathname( entry ); + + if (isSingleFile && fileBeingRenamed.isEmpty()) { + // Rename extracted file from libarchive-internal "data" name to the archive uncompressed name. +@@ -557,6 +565,7 @@ int LibarchivePlugin::extractionFlags() + { + return ARCHIVE_EXTRACT_TIME + | ARCHIVE_EXTRACT_SECURE_NODOTDOT ++ | ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS + | ARCHIVE_EXTRACT_SECURE_SYMLINKS; + } + diff -Nru ark-22.12.3/debian/patches/series ark-22.12.3/debian/patches/series --- ark-22.12.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ ark-22.12.3/debian/patches/series 2025-10-12 22:06:40.000000000 +0000 @@ -0,0 +1 @@ +CVE-2024-57966.patch