CVE Request for KNewStuff/KArchive issue

[David Faure <faure () kde org>]

Hello,

Could I get a CVE number for the issue below?

When using KNewStuff, one of the KDE Frameworks, to download and install files 
from the internet (e.g. a wallpaper, a plasma applet, etc.), it was possible 
to download a maliciously crafted archive file (e.g. tar.gz or zip) containing 
relative paths leading to outside the extraction directory (say 
"../../../.bashrc" for instance).

The fix has already been reviewed and submitted:
   https://git.reviewboard.kde.org/r/128185/
This fix is one layer below KNewStuff, in the framework called KArchive, which 
handles extraction of .tar.gz / .zip archives. KArchive now prevents files from 
being written outside of the extraction directory, in all cases.

Versions up to KArchive 5.23.0 are affected, the fix is in KArchive 5.24.0, 
which I released a week ago.

To my knowledge, no CVE has been requested for this yet, but to make sure, you 
could check if someone else from kde-security emailed you in the past month 
already (issue known since June 14, 2016, sorry for the delay on my part).

Thanks.

-- 
David Faure, faure () kde org, http://www.davidfaure.fr
Working on KDE Frameworks 5