backport fix for CVE-2016-6232 from Trinity (itself backported from KF5)

2017-01-23 01:30:30 +01:00 · 2017-01-23 01:30:30 +01:00 · 8985e9f610
parent 0baabbdf03
commit 8985e9f610
2 changed files with 56 additions and 1 deletions
--- a/kdelibs-3.5.10-CVE-2016-6232.patch
+++ b/kdelibs-3.5.10-CVE-2016-6232.patch
@ -0,0 +1,48 @@
+From 261a3b7a126b7a1d28e263085b85bf1905eb4c19 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= <slavek.banko@axis.cz>
+Date: Sun, 23 Oct 2016 10:48:01 +0200
+Subject: Fix security issue CVE-2016-6232 Based on
+ https://quickgit.kde.org/?p=karchive.git&a=commitdiff&h=0cb243f6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
+
+diff --git a/kio/kio/karchive.cpp b/kio/kio/karchive.cpp
+index b0e0dc6..69e54d1 100644
+--- a/kio/kio/karchive.cpp
+++ b/kio/kio/karchive.cpp
+@@ -601,6 +601,7 @@ void KArchiveDirectory::addEntry( KArchiveEntry* entry )
+ void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const
+ {
+   QDir root;
+  const QString destDir(QDir(dest).absPath()); // get directory path without any "." or ".."
+ 
+   PosSortedPtrList fileList;
+   QMap<int, QString> fileToDir;
+@@ -620,10 +621,19 @@ void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const
+   QValueStack<QString> dirNameStack;
+ 
+   dirStack.push( this );     // init stack at current directory
+-  dirNameStack.push( dest ); // ... with given path
+  dirNameStack.push( destDir ); // ... with given path
+   do {
+     curDir = dirStack.pop();
+-    curDirName = dirNameStack.pop();
+
+    // extract only to specified folder if it is located within archive's extraction folder
+    // otherwise put file under root position in extraction folder
+    QString curDirName = dirNameStack.pop();
+    if (!QDir(curDirName).absPath().startsWith(destDir)) {
+        kdWarning() << "Attempted export into folder" << curDirName
+            << "which is outside of the extraction root folder" << destDir << "."
+            << "Changing export of contained files to extraction root folder.";
+        curDirName = destDir;
+    }
+     root.mkdir(curDirName);
+ 
+     dirEntries = curDir->entries();
+-- 
+cgit v0.10.2
+
--- a/kdelibs3.spec
+++ b/kdelibs3.spec
@ -18,7 +18,7 @@
 Summary: KDE 3 Libraries
 Name:    kdelibs3
 Version: 3.5.10
-Release: 79%{?dist}
+Release: 80%{?dist}

 License: LGPLv2
 Url: http://www.kde.org/
@ -119,6 +119,9 @@ Patch209: kdelibs-3.5.10-CVE-2013-2074.patch
 # http://commits.kde.org/kdelibs/cc5515ed7ce8884c9b18169158ba29ab2f7a3db7
 # upstream fix by Joseph Wenninger, rediffed for kdelibs 3.5.10 by Kevin Kofler
 Patch210: kdelibs-3.5.10-CVE-2015-7543.patch
+# CVE-2016-6232 - directory traversal vulnerability in KArchive
+# patch from Trinity (Slávek Banko), based on KF5 fix (Andreas Cord-Landwehr)
+Patch211: kdelibs-3.5.10-CVE-2016-6232.patch

 ## fixes to common KDE 3 autotools machinery
 # tweak autoconfigury so that it builds with autoconf 2.64 or 2.65
@ -300,6 +303,7 @@ This package includes tools kgrantpty and kpac_dhcp_helper.
 %patch208 -p1 -b .CVE-2011-3365
 %patch209 -p1 -b .CVE-2013-2074
 %patch210 -p1 -b .CVE-2015-7543
+%patch211 -p1 -b .CVE-2016-6232

 %patch300 -p1 -b .acinclude
 %patch301 -p1 -b .automake-version
@ -627,6 +631,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
 %attr(4755,root,root) %{_bindir}/kpac_dhcp_helper

 %changelog
+* Mon Jan 23 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-80
+- backport fix for CVE-2016-6232 from Trinity (itself backported from KF5)
+
 * Sun Jan 22 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-79
 - use DrKonqi from Plasma 5 rather than from kde-runtime 4
 - build against compat-openssl10 for now (F26+)