Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589054 (CVE-2016-6232) - <kde-frameworks/karchive-5.21.0-r1: Extraction of tar files possible to arbitrary system locations
Summary: <kde-frameworks/karchive-5.21.0-r1: Extraction of tar files possible to arbit...
Status: RESOLVED FIXED
Alias: CVE-2016-6232
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-18 08:22 UTC by Agostino Sarubbo
Modified: 2016-09-08 17:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-18 08:22:28 UTC
From ${URL} :

When using KNewStuff, one of the KDE Frameworks, to download and install files 
from the internet (e.g. a wallpaper, a plasma applet, etc.), it was possible 
to download a maliciously crafted archive file (e.g. tar.gz or zip) containing 
relative paths leading to outside the extraction directory (say 
"../../../.bashrc" for instance).

References:

http://seclists.org/oss-sec/2016/q3/78

Upstream fix:

https://quickgit.kde.org/?p=karchive.git&a=commit&h=0cb243f64eef45565741b27364cece7d5c349c37


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Johannes Huber gentoo-dev 2016-07-18 20:24:03 UTC
Patch backported to 5.21.0-r1, 5.23.0-r1. 5.24.0 is not affected.

Arches please stabilize =kde-frameworks/karchive-5.21.0-r1. Thanks in advance.

Target: amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2016-07-18 21:06:02 UTC
knewstuff is affected too. Do we need to patch it too?
Comment 3 Johannes Huber gentoo-dev 2016-07-18 21:27:22 UTC
(In reply to Agostino Sarubbo from comment #2)
> knewstuff is affected too. Do we need to patch it too?

When i understand it correctly with patched karchive it doesnt matter wnat is download via knewstuff.:

"This fix is one layer below KNewStuff, in the framework called KArchive, which 
handles extraction of .tar.gz / .zip archives. KArchive now prevents files from 
being written outside of the extraction directory, in all cases."
Comment 4 Agostino Sarubbo gentoo-dev 2016-07-19 07:32:17 UTC
(In reply to Johannes Huber from comment #3)
> (In reply to Agostino Sarubbo from comment #2)
> > knewstuff is affected too. Do we need to patch it too?
> 
> When i understand it correctly with patched karchive it doesnt matter wnat
> is download via knewstuff.:
> 
> "This fix is one layer below KNewStuff, in the framework called KArchive,
> which 
> handles extraction of .tar.gz / .zip archives. KArchive now prevents files
> from 
> being written outside of the extraction directory, in all cases."

ok that is fine
Comment 5 Agostino Sarubbo gentoo-dev 2016-07-19 07:32:25 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-07-19 07:32:51 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Johannes Huber gentoo-dev 2016-07-19 11:33:01 UTC
Thanks all. Cleanup done. Removing maintainer from cc.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=200ffefe558460d975d8d9b091474212e43d6293
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-19 12:13:06 UTC
(In reply to Johannes Huber from comment #7)
> Thanks all. Cleanup done. Removing maintainer from cc.
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=200ffefe558460d975d8d9b091474212e43d6293

Thanks, Johu!

GLSA Vote: No