summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Huber <johu@gentoo.org>2016-07-18 22:20:50 +0200
committerJohannes Huber <johu@gentoo.org>2016-07-18 22:21:02 +0200
commitfb73d9e3a0d7ef1141b828955a3abcb00afe16c4 (patch)
tree4c6eaab43f3a35f6819be0fe8db0c2890951f024 /kde-frameworks
parentgames-kids/tuxtype: remove deprecated games eclass (diff)
downloadgentoo-fb73d9e3a0d7ef1141b828955a3abcb00afe16c4.tar.gz
gentoo-fb73d9e3a0d7ef1141b828955a3abcb00afe16c4.tar.bz2
gentoo-fb73d9e3a0d7ef1141b828955a3abcb00afe16c4.zip
kde-frameworks/karchive: Fix CVE-2016-6232
Revision bump backports upstream patch to fix CVE-2016-6232. Gentoo-bug: 589054 Package-Manager: portage-2.3.0
Diffstat (limited to 'kde-frameworks')
-rw-r--r--kde-frameworks/karchive/files/karchive-5.21.0-CVE-2016-6232.patch92
-rw-r--r--kde-frameworks/karchive/karchive-5.21.0-r1.ebuild32
-rw-r--r--kde-frameworks/karchive/karchive-5.23.0-r1.ebuild32
3 files changed, 156 insertions, 0 deletions
diff --git a/kde-frameworks/karchive/files/karchive-5.21.0-CVE-2016-6232.patch b/kde-frameworks/karchive/files/karchive-5.21.0-CVE-2016-6232.patch
new file mode 100644
index 00000000000..b5c0608d91f
--- /dev/null
+++ b/kde-frameworks/karchive/files/karchive-5.21.0-CVE-2016-6232.patch
@@ -0,0 +1,92 @@
+commit 0cb243f64eef45565741b27364cece7d5c349c37
+Author: Andreas Cord-Landwehr <cordlandwehr@kde.org>
+Date: Tue Jun 14 15:52:49 2016 +0200
+
+ Ensure extraction location to be in subfolder
+
+ Behavior change: Switch to Tar's default behavior to avoid extraction
+ to arbitrary system locations outside of extraction folder. Instead,
+ extract such files to root location in extraction folder.
+
+ REVIEW: 128185
+
+diff --git a/autotests/karchivetest.cpp b/autotests/karchivetest.cpp
+index c8abddf..549ed26 100644
+--- a/autotests/karchivetest.cpp
++++ b/autotests/karchivetest.cpp
+@@ -760,6 +760,24 @@ void KArchiveTest::testTarDirectoryTwice() // bug 206994
+
+ QCOMPARE(listing.count(), 3);
+ }
++
++void KArchiveTest::testTarIgnoreRelativePathOutsideArchive()
++{
++ // This test extracts a Tar archive that contains a relative path "../foo" pointing
++ // outside of the archive directory. For security reasons extractions should only
++ // be allowed within the extracted directory as long as not specifically asked.
++
++ KTar tar(QFINDTESTDATA(QLatin1String("tar_relative_path_outside_archive.tar.bz2")));
++ QVERIFY(tar.open(QIODevice::ReadOnly));
++
++ const KArchiveDirectory *dir = tar.directory();
++ QTemporaryDir tmpDir;
++ const QString dirName = tmpDir.path() + '/';
++
++ QVERIFY(dir->copyTo(dirName));
++ QVERIFY(!QFile::exists(dirName + "../foo"));
++ QVERIFY(QFile::exists(dirName + "/foo"));
++}
+ ///
+
+ static const char s_zipFileName[] = "karchivetest.zip";
+diff --git a/autotests/karchivetest.h b/autotests/karchivetest.h
+index 4b7ecff..5a6375c 100644
+--- a/autotests/karchivetest.h
++++ b/autotests/karchivetest.h
+@@ -76,6 +76,7 @@ private Q_SLOTS:
+ void testTarDirectoryForgotten();
+ void testTarRootDir();
+ void testTarDirectoryTwice();
++ void testTarIgnoreRelativePathOutsideArchive();
+
+ void testCreateZip();
+ void testCreateZipError();
+diff --git a/autotests/tar_relative_path_outside_archive.tar.bz2 b/autotests/tar_relative_path_outside_archive.tar.bz2
+new file mode 100644
+index 0000000..50a3aca
+Binary files /dev/null and b/autotests/tar_relative_path_outside_archive.tar.bz2 differ
+diff --git a/src/karchive.cpp b/src/karchive.cpp
+index 5a7cfc6..7683c7f 100644
+--- a/src/karchive.cpp
++++ b/src/karchive.cpp
+@@ -841,6 +841,7 @@ static bool sortByPosition(const KArchiveFile *file1, const KArchiveFile *file2)
+ bool KArchiveDirectory::copyTo(const QString &dest, bool recursiveCopy) const
+ {
+ QDir root;
++ const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".."
+
+ QList<const KArchiveFile *> fileList;
+ QMap<qint64, QString> fileToDir;
+@@ -850,10 +851,20 @@ bool KArchiveDirectory::copyTo(const QString &dest, bool recursiveCopy) const
+ QStack<QString> dirNameStack;
+
+ dirStack.push(this); // init stack at current directory
+- dirNameStack.push(dest); // ... with given path
++ dirNameStack.push(destDir); // ... with given path
+ do {
+ const KArchiveDirectory *curDir = dirStack.pop();
+- const QString curDirName = dirNameStack.pop();
++
++ // extract only to specified folder if it is located within archive's extraction folder
++ // otherwise put file under root position in extraction folder
++ QString curDirName = dirNameStack.pop();
++ if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
++ qWarning() << "Attempted export into folder" << curDirName
++ << "which is outside of the extraction root folder" << destDir << "."
++ << "Changing export of contained files to extraction root folder.";
++ curDirName = destDir;
++ }
++
+ if (!root.mkpath(curDirName)) {
+ return false;
+ }
diff --git a/kde-frameworks/karchive/karchive-5.21.0-r1.ebuild b/kde-frameworks/karchive/karchive-5.21.0-r1.ebuild
new file mode 100644
index 00000000000..698a1bd7be4
--- /dev/null
+++ b/kde-frameworks/karchive/karchive-5.21.0-r1.ebuild
@@ -0,0 +1,32 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit kde5
+
+DESCRIPTION="Framework for reading, creation, and manipulation of various archive formats"
+LICENSE="GPL-2 LGPL-2.1"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="+bzip2 +lzma"
+
+RDEPEND="
+ bzip2? ( app-arch/bzip2 )
+ lzma? ( app-arch/xz-utils )
+ sys-libs/zlib
+"
+DEPEND="${RDEPEND}"
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2016-6232.patch" )
+
+RESTRICT="test"
+
+src_configure() {
+ local mycmakeargs=(
+ $(cmake-utils_use_find_package bzip2 BZip2)
+ $(cmake-utils_use_find_package lzma LibLZMA)
+ )
+
+ kde5_src_configure
+}
diff --git a/kde-frameworks/karchive/karchive-5.23.0-r1.ebuild b/kde-frameworks/karchive/karchive-5.23.0-r1.ebuild
new file mode 100644
index 00000000000..55a5937e1b2
--- /dev/null
+++ b/kde-frameworks/karchive/karchive-5.23.0-r1.ebuild
@@ -0,0 +1,32 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit kde5
+
+DESCRIPTION="Framework for reading, creation, and manipulation of various archive formats"
+LICENSE="GPL-2 LGPL-2.1"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="+bzip2 +lzma"
+
+RDEPEND="
+ bzip2? ( app-arch/bzip2 )
+ lzma? ( app-arch/xz-utils )
+ sys-libs/zlib
+"
+DEPEND="${RDEPEND}"
+
+PATCHES=( "${FILESDIR}/${PN}-5.21.0-CVE-2016-6232.patch" )
+
+RESTRICT="test"
+
+src_configure() {
+ local mycmakeargs=(
+ $(cmake-utils_use_find_package bzip2 BZip2)
+ $(cmake-utils_use_find_package lzma LibLZMA)
+ )
+
+ kde5_src_configure
+}