Date: Sat, 16 Jul 2016 12:05:39 +0200 From: David Faure <faure@....org> To: oss-security@...ts.openwall.com Cc: kde-security@....org Subject: CVE Request for KNewStuff/KArchive issue Hello, Could I get a CVE number for the issue below? When using KNewStuff, one of the KDE Frameworks, to download and install files from the internet (e.g. a wallpaper, a plasma applet, etc.), it was possible to download a maliciously crafted archive file (e.g. tar.gz or zip) containing relative paths leading to outside the extraction directory (say "../../../.bashrc" for instance). The fix has already been reviewed and submitted: https://git.reviewboard.kde.org/r/128185/ This fix is one layer below KNewStuff, in the framework called KArchive, which handles extraction of .tar.gz / .zip archives. KArchive now prevents files from being written outside of the extraction directory, in all cases. Versions up to KArchive 5.23.0 are affected, the fix is in KArchive 5.24.0, which I released a week ago. To my knowledge, no CVE has been requested for this yet, but to make sure, you could check if someone else from kde-security emailed you in the past month already (issue known since June 14, 2016, sorry for the delay on my part). Thanks. -- David Faure, faure@....org, http://www.davidfaure.fr Working on KDE Frameworks 5
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.