Bug#856321: ktnef security issue: Directory Traversal

[Martin Steigerwald <Martin@Lichtvoll.de>]

Package: ktnef
Version: 4:16.04.3-3
Severity: important
Tags: patch

Dear Maintainer,

from the KDE project security advisory:

> A directory traversal issue was found in ktnef which can
> be exploited by tricking a user into opening a malicious winmail.dat file.
> The issue allows to write files with the permission of the user opening
> the winmail.dat file during extraction.

I forward the KDE project security advisory to the bug as soon as I got
back bug number.

Patch is at:

https://commits.kde.org/ktnef/4ff38aa15487d69021aacad4b078500f77fb4ae8

Thank you,
Martin

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.16-tp520+ (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages ktnef depends on:
ii  kio                   5.28.0-1
ii  libc6                 2.24-9
ii  libkf5configcore5     5.28.0-1
ii  libkf5configwidgets5  5.28.0-1
ii  libkf5coreaddons5     5.28.0-1
ii  libkf5dbusaddons5     5.28.0-1
ii  libkf5i18n5           5.28.0-1
ii  libkf5kiowidgets5     5.28.0-1
ii  libkf5service-bin     5.28.0-1
ii  libkf5service5        5.28.0-1
ii  libkf5tnef5           16.04.2-1
ii  libkf5widgetsaddons5  5.28.0-1
ii  libkf5xmlgui5         5.28.0-1
ii  libqt5core5a          5.7.1+dfsg-3+b1
ii  libqt5gui5            5.7.1+dfsg-3+b1
ii  libqt5widgets5        5.7.1+dfsg-3+b1
ii  libstdc++6            7-20170221-1

ktnef recommends no packages.

ktnef suggests no packages.

-- no debconf information