From ${URL} : When using KNewStuff, one of the KDE Frameworks, to download and install files from the internet (e.g. a wallpaper, a plasma applet, etc.), it was possible to download a maliciously crafted archive file (e.g. tar.gz or zip) containing relative paths leading to outside the extraction directory (say "../../../.bashrc" for instance). References: http://seclists.org/oss-sec/2016/q3/78 Upstream fix: https://quickgit.kde.org/?p=karchive.git&a=commit&h=0cb243f64eef45565741b27364cece7d5c349c37 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Patch backported to 5.21.0-r1, 5.23.0-r1. 5.24.0 is not affected. Arches please stabilize =kde-frameworks/karchive-5.21.0-r1. Thanks in advance. Target: amd64 x86
knewstuff is affected too. Do we need to patch it too?
(In reply to Agostino Sarubbo from comment #2) > knewstuff is affected too. Do we need to patch it too? When i understand it correctly with patched karchive it doesnt matter wnat is download via knewstuff.: "This fix is one layer below KNewStuff, in the framework called KArchive, which handles extraction of .tar.gz / .zip archives. KArchive now prevents files from being written outside of the extraction directory, in all cases."
(In reply to Johannes Huber from comment #3) > (In reply to Agostino Sarubbo from comment #2) > > knewstuff is affected too. Do we need to patch it too? > > When i understand it correctly with patched karchive it doesnt matter wnat > is download via knewstuff.: > > "This fix is one layer below KNewStuff, in the framework called KArchive, > which > handles extraction of .tar.gz / .zip archives. KArchive now prevents files > from > being written outside of the extraction directory, in all cases." ok that is fine
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Thanks all. Cleanup done. Removing maintainer from cc. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=200ffefe558460d975d8d9b091474212e43d6293
(In reply to Johannes Huber from comment #7) > Thanks all. Cleanup done. Removing maintainer from cc. > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=200ffefe558460d975d8d9b091474212e43d6293 Thanks, Johu! GLSA Vote: No