CVE-2016-6232 / kdelibs4

To: debian-lts@lists.debian.org
Subject: CVE-2016-6232 / kdelibs4
From: Brian May <bam@debian.org>
Date: Tue, 19 Jul 2016 08:35:56 +1000
Message-id: <[🔎] 87h9bmpoab.fsf@prune.linuxpenguins.xyz>

Hello,

Just wondering if I we need to fix CVE-2016-6232 in kdelib4 or not?

Looks like this is an issue if you try to extract a tar file that
contains relative paths outside the archives root. Is this considered a
security issue we need to address?

Such as this one that comes as a test case:

# tar -tvf autotests/tar_relative_path_outside_archive.tar.bz2
tar: Removing leading `../' from member names
-rw-r--r-- cordlandwehr/cordlandwehr 5 2016-06-08 02:09 ../foo

Looks like the vulnerabilty exists (from inspecting source code only;
haven't tried to reproduce it) in wheezy.

At quick glance it looks like the patch should be easy to apply
(visually at least; patch doesn't seem to like it) as the code looks
very similar. Files have been moved to different locations. Although I
won't know for certain until I try to apply the patch.

I am out of time now, however thought this is a question that should be
asked first.

Regards
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: CVE-2016-6232 / kdelibs4
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Re: CVE-2016-6131 binutils, gdb, valgrind etc.
Next by Date: Wheezy update of python-django?
Previous by thread: Re: Wheezy update of gdk-pixbuf?
Next by thread: Re: CVE-2016-6232 / kdelibs4
Index(es):
- Date
- Thread