Hi Maximiliano,
2016-07-25 15:41 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi,
>
> 2016-07-19 23:12 GMT+02:00 Brian May <bam@debian.org>:
>> Maximiliano Curia <maxy@debian.org> writes:
>>
>>> I just did the upload to unstable, with the karchive fix from upstream and an
>>> modified version of that one for kde4libs. The second one needs some test,
>>> sadly adding the (binary) test file used in karchive is a bit of a burden.
Apparently one line, the actual fix is missing from the patch.
The warning is issued, but the wrong path is still used in unstable:
cat debian/patches/cve-2016-6232.patch
...
const KArchiveDirectory* curDir = dirStack.pop();
- const QString curDirName = dirNameStack.pop();
+
+ // extract only to specified folder if it is located within
archive's extraction folder
+ // otherwise put file under root position in extraction folder
+ QString curDirName = dirNameStack.pop();
+ if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
+ qWarning() << "Attempted export into folder" << curDirName
+ << "which is outside of the extraction root folder" <<
destDir << "."
+ << "Changing export of contained files to extraction root
folder.";
+ }
root.mkdir(curDirName);
...
In the original fix there is an additional line right after the if ( ...:
https://git.reviewboard.kde.org/r/128185/diff/2#3
...
+ if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
+ curDirName = destDir;
...
I have tested the incomplete fix with the following little program:
vagrant@debian-wheezy:~/extract/test$ cat kextract.cpp
#include <karchive.h>
#include <ktar.h>
int main (int argc, char * argv[]) {
if (argc < 3) exit (1);
KTar tar(argv[1]);
tar.open(QIODevice::ReadOnly);
const KArchiveDirectory *dir = tar.directory();
dir->copyTo(argv[2]);
return 0;
}
vagrant@debian-wheezy:~/extract/test$ rm ../foo
vagrant@debian-wheezy:~/extract/test$ g++ -I/usr/include/qt4 -lkdecore
kextract.cpp
vagrant@debian-wheezy:~/extract/test$ cat ../foo
cat: ../foo: No such file or directory
vagrant@debian-wheezy:~/extract/test$ ./a.out
tar_relative_path_outside_archive.tar.bz2 ./
bzDecompress returned 4
KBzip2Filter::uncompress 1
Attempted export into folder "/home/vagrant/extract/test/.." which is
outside of the extraction root folder "/home/vagrant/extract/test" .
Changing export of contained files to extraction root folder.
vagrant@debian-wheezy:~/extract/test$ cat ../foo
asdf
I have built an update for wheezy with the missing line added.
Please find the proposed diff attached which I plan uploading for Wheezy
on Wednesday.
The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/
Cheers,
Balint
diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog
--- kde4libs-4.8.4/debian/changelog 2014-08-07 22:44:05.000000000 +0200
+++ kde4libs-4.8.4/debian/changelog 2016-07-25 15:13:22.000000000 +0200
@@ -1,3 +1,10 @@
+kde4libs (4:4.8.4-4+deb7u2) wheezy-security; urgency=medium
+
+ * Add new patch: cve-2016-6232.patch
+ - Fixes: CVE-2016-6232
+
+ -- Balint Reczey <balint@balintreczey.hu> Mon, 25 Jul 2016 15:12:35 +0200
+
kde4libs (4:4.8.4-4+deb7u1) wheezy-security; urgency=medium
* Fix kauth authentication bypass. (Closes: #755814)
diff -Nru kde4libs-4.8.4/debian/patches/cve-2016-6232.patch kde4libs-4.8.4/debian/patches/cve-2016-6232.patch
--- kde4libs-4.8.4/debian/patches/cve-2016-6232.patch 1970-01-01 01:00:00.000000000 +0100
+++ kde4libs-4.8.4/debian/patches/cve-2016-6232.patch 2016-07-25 19:58:12.000000000 +0200
@@ -0,0 +1,50 @@
+From aa4d7b23ca046daeffd0695ee519315d5d6ae1bb Mon Sep 17 00:00:00 2001
+From: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
+Date: Tue, 19 Jul 2016 10:38:59 +0200
+Subject: [PATCH] Ensure extraction location to be in subfolder
+
+Behavior change: Switch to Tar's default behavior to avoid extraction
+to arbitrary system locations outside of extraction folder. Instead,
+extract such files to root location in extraction folder.
+
+REVIEW: 128185
+Author: Andreas Cord-Landwehr <cordlandwehr@kde.org>
+Taken from karchive commit 0cb243f64eef45565741b27364cece7d5c349c37
+the test was dropped in this patch as it depends on a binary file.
+Fixes: CVE-2016-6232
+---
+ kdecore/io/karchive.cpp | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/kdecore/io/karchive.cpp
++++ b/kdecore/io/karchive.cpp
+@@ -778,6 +778,7 @@
+ void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const
+ {
+ QDir root;
++ const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".."
+
+ QList<const KArchiveFile*> fileList;
+ QMap<qint64, QString> fileToDir;
+@@ -787,10 +788,19 @@
+ QStack<QString> dirNameStack;
+
+ dirStack.push( this ); // init stack at current directory
+- dirNameStack.push( dest ); // ... with given path
++ dirNameStack.push(destDir); // ... with given path
+ do {
+ const KArchiveDirectory* curDir = dirStack.pop();
+- const QString curDirName = dirNameStack.pop();
++
++ // extract only to specified folder if it is located within archive's extraction folder
++ // otherwise put file under root position in extraction folder
++ QString curDirName = dirNameStack.pop();
++ if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
++ curDirName = destDir;
++ qWarning() << "Attempted export into folder" << curDirName
++ << "which is outside of the extraction root folder" << destDir << "."
++ << "Changing export of contained files to extraction root folder.";
++ }
+ root.mkdir(curDirName);
+
+ const QStringList dirEntries = curDir->entries();
diff -Nru kde4libs-4.8.4/debian/patches/series kde4libs-4.8.4/debian/patches/series
--- kde4libs-4.8.4/debian/patches/series 2014-08-07 22:44:05.000000000 +0200
+++ kde4libs-4.8.4/debian/patches/series 2016-07-25 15:12:25.000000000 +0200
@@ -27,3 +27,4 @@
python3-support-bytecode.patch
fix-copying-of-files-with-extended-ACLs.patch
CVE-2014-5033.patch
+cve-2016-6232.patch
Attachment:
signature.asc
Description: OpenPGP digital signature