[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2016-6232 / kdelibs4


Just wondering if I we need to fix CVE-2016-6232 in kdelib4 or not?

Looks like this is an issue if you try to extract a tar file that
contains relative paths outside the archives root. Is this considered a
security issue we need to address?

Such as this one that comes as a test case:

# tar -tvf autotests/tar_relative_path_outside_archive.tar.bz2
tar: Removing leading `../' from member names
-rw-r--r-- cordlandwehr/cordlandwehr 5 2016-06-08 02:09 ../foo

Looks like the vulnerabilty exists (from inspecting source code only;
haven't tried to reproduce it) in wheezy.

At quick glance it looks like the patch should be easy to apply
(visually at least; patch doesn't seem to like it) as the code looks
very similar. Files have been moved to different locations. Although I
won't know for certain until I try to apply the patch.

I am out of time now, however thought this is a question that should be
asked first.

Brian May <bam@debian.org>

Reply to: