oss-sec mailing list archives
CVE Request for KNewStuff/KArchive issue
From: David Faure <faure () kde org>
Date: Sat, 16 Jul 2016 12:05:39 +0200
Hello, Could I get a CVE number for the issue below? When using KNewStuff, one of the KDE Frameworks, to download and install files from the internet (e.g. a wallpaper, a plasma applet, etc.), it was possible to download a maliciously crafted archive file (e.g. tar.gz or zip) containing relative paths leading to outside the extraction directory (say "../../../.bashrc" for instance). The fix has already been reviewed and submitted: https://git.reviewboard.kde.org/r/128185/ This fix is one layer below KNewStuff, in the framework called KArchive, which handles extraction of .tar.gz / .zip archives. KArchive now prevents files from being written outside of the extraction directory, in all cases. Versions up to KArchive 5.23.0 are affected, the fix is in KArchive 5.24.0, which I released a week ago. To my knowledge, no CVE has been requested for this yet, but to make sure, you could check if someone else from kde-security emailed you in the past month already (issue known since June 14, 2016, sorry for the delay on my part). Thanks. -- David Faure, faure () kde org, http://www.davidfaure.fr Working on KDE Frameworks 5
Current thread:
- CVE Request for KNewStuff/KArchive issue David Faure (Jul 16)
- Re: CVE Request for KNewStuff/KArchive issue cve-assign (Jul 16)