Bug#635541: ark: Directory traversal
On Wed, Dec 21, 2011 at 06:01:08PM +0000, Jonathan Wiltshire wrote:
> Dear maintainer,
>
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
>
> squeeze (6.0.4) - use target "stable"
> lenny (5.0.10) - use target "oldstable"
>
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
>
> I will happily assist you at any stage if the patch is straightforward and
> you need help. Please keep me in CC at all times so I can
> track the progress of this request.
>
> For details of this process and the rationale, please see the original
> announcement [1] and my blog post [2].
Dear KDE maintainers,
patch for Squeeze is attached.
Cheers,
Moritz
diff -aur kdeutils-4.4.5.orig/ark/part/part.cpp kdeutils-4.4.5/ark/part/part.cpp
--- kdeutils-4.4.5.orig/ark/part/part.cpp 2010-06-25 20:40:06.000000000 +0200
+++ kdeutils-4.4.5/ark/part/part.cpp 2012-01-03 17:29:07.253075169 +0100
@@ -500,8 +500,15 @@
if (!job->error()) {
const ArchiveEntry& entry =
m_model->entryForIndex(m_view->selectionModel()->currentIndex());
- const QString fullName =
- m_previewDir->name() + '/' + entry[ FileName ].toString();
+
+ QString fullName =
+ m_previewDir->name() + QLatin1Char('/') + entry[ FileName ].toString();
+
+ // Make sure a maliciously crafted archive with parent folders named ".." do
+ // not cause the previewed file path to be located outside the temporary
+ // directory, resulting in a directory traversal issue.
+ fullName.remove(QLatin1String("../"));
+
ArkViewer::view(fullName, widget());
} else {
KMessageBox::error(widget(), job->errorString());
Nur in kdeutils-4.4.5.orig/: git-6f6c0b18b3569ae2b5b6f65dc7ea626a8b7c03c0.patch.
Reply to: