diff --git a/kdelibs-3.5.10-CVE-2016-6232.patch b/kdelibs-3.5.10-CVE-2016-6232.patch new file mode 100644 index 0000000..7876543 --- /dev/null +++ b/kdelibs-3.5.10-CVE-2016-6232.patch @@ -0,0 +1,48 @@ +From 261a3b7a126b7a1d28e263085b85bf1905eb4c19 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= +Date: Sun, 23 Oct 2016 10:48:01 +0200 +Subject: Fix security issue CVE-2016-6232 Based on + https://quickgit.kde.org/?p=karchive.git&a=commitdiff&h=0cb243f6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Slávek Banko + +diff --git a/kio/kio/karchive.cpp b/kio/kio/karchive.cpp +index b0e0dc6..69e54d1 100644 +--- a/kio/kio/karchive.cpp ++++ b/kio/kio/karchive.cpp +@@ -601,6 +601,7 @@ void KArchiveDirectory::addEntry( KArchiveEntry* entry ) + void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const + { + QDir root; ++ const QString destDir(QDir(dest).absPath()); // get directory path without any "." or ".." + + PosSortedPtrList fileList; + QMap fileToDir; +@@ -620,10 +621,19 @@ void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const + QValueStack dirNameStack; + + dirStack.push( this ); // init stack at current directory +- dirNameStack.push( dest ); // ... with given path ++ dirNameStack.push( destDir ); // ... with given path + do { + curDir = dirStack.pop(); +- curDirName = dirNameStack.pop(); ++ ++ // extract only to specified folder if it is located within archive's extraction folder ++ // otherwise put file under root position in extraction folder ++ QString curDirName = dirNameStack.pop(); ++ if (!QDir(curDirName).absPath().startsWith(destDir)) { ++ kdWarning() << "Attempted export into folder" << curDirName ++ << "which is outside of the extraction root folder" << destDir << "." ++ << "Changing export of contained files to extraction root folder."; ++ curDirName = destDir; ++ } + root.mkdir(curDirName); + + dirEntries = curDir->entries(); +-- +cgit v0.10.2 + diff --git a/kdelibs3.spec b/kdelibs3.spec index 7eeb568..a2c487b 100644 --- a/kdelibs3.spec +++ b/kdelibs3.spec @@ -18,7 +18,7 @@ Summary: KDE 3 Libraries Name: kdelibs3 Version: 3.5.10 -Release: 79%{?dist} +Release: 80%{?dist} License: LGPLv2 Url: http://www.kde.org/ @@ -119,6 +119,9 @@ Patch209: kdelibs-3.5.10-CVE-2013-2074.patch # http://commits.kde.org/kdelibs/cc5515ed7ce8884c9b18169158ba29ab2f7a3db7 # upstream fix by Joseph Wenninger, rediffed for kdelibs 3.5.10 by Kevin Kofler Patch210: kdelibs-3.5.10-CVE-2015-7543.patch +# CVE-2016-6232 - directory traversal vulnerability in KArchive +# patch from Trinity (Slávek Banko), based on KF5 fix (Andreas Cord-Landwehr) +Patch211: kdelibs-3.5.10-CVE-2016-6232.patch ## fixes to common KDE 3 autotools machinery # tweak autoconfigury so that it builds with autoconf 2.64 or 2.65 @@ -300,6 +303,7 @@ This package includes tools kgrantpty and kpac_dhcp_helper. %patch208 -p1 -b .CVE-2011-3365 %patch209 -p1 -b .CVE-2013-2074 %patch210 -p1 -b .CVE-2015-7543 +%patch211 -p1 -b .CVE-2016-6232 %patch300 -p1 -b .acinclude %patch301 -p1 -b .automake-version @@ -627,6 +631,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %attr(4755,root,root) %{_bindir}/kpac_dhcp_helper %changelog +* Mon Jan 23 2017 Kevin Kofler - 3.5.10-80 +- backport fix for CVE-2016-6232 from Trinity (itself backported from KF5) + * Sun Jan 22 2017 Kevin Kofler - 3.5.10-79 - use DrKonqi from Plasma 5 rather than from kde-runtime 4 - build against compat-openssl10 for now (F26+)