Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 589054 (CVE-2016-6232)

Summary: <kde-frameworks/karchive-5.21.0-r1: Extraction of tar files possible to arbitrary system locations
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1357410
See Also: https://bugs.gentoo.org/show_bug.cgi?id=593224
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-07-18 08:22:28 UTC
From ${URL} :

When using KNewStuff, one of the KDE Frameworks, to download and install files 
from the internet (e.g. a wallpaper, a plasma applet, etc.), it was possible 
to download a maliciously crafted archive file (e.g. tar.gz or zip) containing 
relative paths leading to outside the extraction directory (say 
"../../../.bashrc" for instance).

References:

http://seclists.org/oss-sec/2016/q3/78

Upstream fix:

https://quickgit.kde.org/?p=karchive.git&a=commit&h=0cb243f64eef45565741b27364cece7d5c349c37


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Johannes Huber (RETIRED) gentoo-dev 2016-07-18 20:24:03 UTC
Patch backported to 5.21.0-r1, 5.23.0-r1. 5.24.0 is not affected.

Arches please stabilize =kde-frameworks/karchive-5.21.0-r1. Thanks in advance.

Target: amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2016-07-18 21:06:02 UTC
knewstuff is affected too. Do we need to patch it too?
Comment 3 Johannes Huber (RETIRED) gentoo-dev 2016-07-18 21:27:22 UTC
(In reply to Agostino Sarubbo from comment #2)
> knewstuff is affected too. Do we need to patch it too?

When i understand it correctly with patched karchive it doesnt matter wnat is download via knewstuff.:

"This fix is one layer below KNewStuff, in the framework called KArchive, which 
handles extraction of .tar.gz / .zip archives. KArchive now prevents files from 
being written outside of the extraction directory, in all cases."
Comment 4 Agostino Sarubbo gentoo-dev 2016-07-19 07:32:17 UTC
(In reply to Johannes Huber from comment #3)
> (In reply to Agostino Sarubbo from comment #2)
> > knewstuff is affected too. Do we need to patch it too?
> 
> When i understand it correctly with patched karchive it doesnt matter wnat
> is download via knewstuff.:
> 
> "This fix is one layer below KNewStuff, in the framework called KArchive,
> which 
> handles extraction of .tar.gz / .zip archives. KArchive now prevents files
> from 
> being written outside of the extraction directory, in all cases."

ok that is fine
Comment 5 Agostino Sarubbo gentoo-dev 2016-07-19 07:32:25 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-07-19 07:32:51 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Johannes Huber (RETIRED) gentoo-dev 2016-07-19 11:33:01 UTC
Thanks all. Cleanup done. Removing maintainer from cc.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=200ffefe558460d975d8d9b091474212e43d6293
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-07-19 12:13:06 UTC
(In reply to Johannes Huber from comment #7)
> Thanks all. Cleanup done. Removing maintainer from cc.
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=200ffefe558460d975d8d9b091474212e43d6293

Thanks, Johu!

GLSA Vote: No