Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Jul 2016 12:05:39 +0200
From: David Faure <faure@....org>
To: oss-security@...ts.openwall.com
Cc: kde-security@....org
Subject: CVE Request for KNewStuff/KArchive issue

Hello,

Could I get a CVE number for the issue below?

When using KNewStuff, one of the KDE Frameworks, to download and install files 
from the internet (e.g. a wallpaper, a plasma applet, etc.), it was possible 
to download a maliciously crafted archive file (e.g. tar.gz or zip) containing 
relative paths leading to outside the extraction directory (say 
"../../../.bashrc" for instance).

The fix has already been reviewed and submitted:
   https://git.reviewboard.kde.org/r/128185/
This fix is one layer below KNewStuff, in the framework called KArchive, which 
handles extraction of .tar.gz / .zip archives. KArchive now prevents files from 
being written outside of the extraction directory, in all cases.

Versions up to KArchive 5.23.0 are affected, the fix is in KArchive 5.24.0, 
which I released a week ago.

To my knowledge, no CVE has been requested for this yet, but to make sure, you 
could check if someone else from kde-security emailed you in the past month 
already (issue known since June 14, 2016, sorry for the delay on my part).

Thanks.

-- 
David Faure, faure@....org, http://www.davidfaure.fr
Working on KDE Frameworks 5

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.