Package: kde4libs / 4:4.14.2-5+deb8u2

CVE-2016-6232.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
From: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Date: Tue 19 Jul 10:38:59 CEST 2016
Subject: Ensure extraction location to be in subfolder

Behavior change: Switch to Tar's default behavior to avoid extraction
to arbitrary system locations outside of extraction folder. Instead,
extract such files to root location in extraction folder.

REVIEW: 128185
Author: Andreas Cord-Landwehr <cordlandwehr@kde.org>
Taken from karchive commit 0cb243f64eef45565741b27364cece7d5c349c37
the test was dropped in this patch as it depends on a binary file.
Fixes: CVE-2016-6232

--- a/kdecore/io/karchive.cpp
+++ b/kdecore/io/karchive.cpp
@@ -800,6 +800,7 @@
 void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const
 {
   QDir root;
+  const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".."
 
   QList<const KArchiveFile*> fileList;
   QMap<qint64, QString> fileToDir;
@@ -809,10 +810,19 @@
   QStack<QString> dirNameStack;
 
   dirStack.push( this );     // init stack at current directory
-  dirNameStack.push( dest ); // ... with given path
+  dirNameStack.push(destDir);   // ... with given path
   do {
     const KArchiveDirectory* curDir = dirStack.pop();
-    const QString curDirName = dirNameStack.pop();
+
+    // extract only to specified folder if it is located within archive's extraction folder
+    // otherwise put file under root position in extraction folder
+    QString curDirName = dirNameStack.pop();
+    if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
+        qWarning() << "Attempted export into folder" << curDirName
+            << "which is outside of the extraction root folder" << destDir << "."
+            << "Changing export of contained files to extraction root folder.";
+        curDirName = destDir;
+    }
     root.mkdir(curDirName);
 
     const QStringList dirEntries = curDir->entries();