Summary: | <kde-frameworks/karchive-5.21.0-r1: Extraction of tar files possible to arbitrary system locations | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1357410 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=593224 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-07-18 08:22:28 UTC
Patch backported to 5.21.0-r1, 5.23.0-r1. 5.24.0 is not affected. Arches please stabilize =kde-frameworks/karchive-5.21.0-r1. Thanks in advance. Target: amd64 x86 knewstuff is affected too. Do we need to patch it too? (In reply to Agostino Sarubbo from comment #2) > knewstuff is affected too. Do we need to patch it too? When i understand it correctly with patched karchive it doesnt matter wnat is download via knewstuff.: "This fix is one layer below KNewStuff, in the framework called KArchive, which handles extraction of .tar.gz / .zip archives. KArchive now prevents files from being written outside of the extraction directory, in all cases." (In reply to Johannes Huber from comment #3) > (In reply to Agostino Sarubbo from comment #2) > > knewstuff is affected too. Do we need to patch it too? > > When i understand it correctly with patched karchive it doesnt matter wnat > is download via knewstuff.: > > "This fix is one layer below KNewStuff, in the framework called KArchive, > which > handles extraction of .tar.gz / .zip archives. KArchive now prevents files > from > being written outside of the extraction directory, in all cases." ok that is fine amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Thanks all. Cleanup done. Removing maintainer from cc. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=200ffefe558460d975d8d9b091474212e43d6293 (In reply to Johannes Huber from comment #7) > Thanks all. Cleanup done. Removing maintainer from cc. > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=200ffefe558460d975d8d9b091474212e43d6293 Thanks, Johu! GLSA Vote: No |