CVE-2016-6232 / kdelibs4
Just wondering if I we need to fix CVE-2016-6232 in kdelib4 or not?
Looks like this is an issue if you try to extract a tar file that
contains relative paths outside the archives root. Is this considered a
security issue we need to address?
Such as this one that comes as a test case:
# tar -tvf autotests/tar_relative_path_outside_archive.tar.bz2
tar: Removing leading `../' from member names
-rw-r--r-- cordlandwehr/cordlandwehr 5 2016-06-08 02:09 ../foo
Looks like the vulnerabilty exists (from inspecting source code only;
haven't tried to reproduce it) in wheezy.
At quick glance it looks like the patch should be easy to apply
(visually at least; patch doesn't seem to like it) as the code looks
very similar. Files have been moved to different locations. Although I
won't know for certain until I try to apply the patch.
I am out of time now, however thought this is a question that should be
Brian May <firstname.lastname@example.org>