Bug#856321: ktnef security issue: Directory Traversal
Package: ktnef
Version: 4:16.04.3-3
Severity: important
Tags: patch
Dear Maintainer,
from the KDE project security advisory:
> A directory traversal issue was found in ktnef which can
> be exploited by tricking a user into opening a malicious winmail.dat file.
> The issue allows to write files with the permission of the user opening
> the winmail.dat file during extraction.
I forward the KDE project security advisory to the bug as soon as I got
back bug number.
Patch is at:
https://commits.kde.org/ktnef/4ff38aa15487d69021aacad4b078500f77fb4ae8
Thank you,
Martin
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.16-tp520+ (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages ktnef depends on:
ii kio 5.28.0-1
ii libc6 2.24-9
ii libkf5configcore5 5.28.0-1
ii libkf5configwidgets5 5.28.0-1
ii libkf5coreaddons5 5.28.0-1
ii libkf5dbusaddons5 5.28.0-1
ii libkf5i18n5 5.28.0-1
ii libkf5kiowidgets5 5.28.0-1
ii libkf5service-bin 5.28.0-1
ii libkf5service5 5.28.0-1
ii libkf5tnef5 16.04.2-1
ii libkf5widgetsaddons5 5.28.0-1
ii libkf5xmlgui5 5.28.0-1
ii libqt5core5a 5.7.1+dfsg-3+b1
ii libqt5gui5 5.7.1+dfsg-3+b1
ii libqt5widgets5 5.7.1+dfsg-3+b1
ii libstdc++6 7-20170221-1
ktnef recommends no packages.
ktnef suggests no packages.
-- no debconf information
Reply to: