diff options
| author |   Johannes Huber <johu@gentoo.org> | 2017-02-28 22:26:52 +0100 |
|---|---|---|
| committer | Johannes Huber <johu@gentoo.org> | 2017-02-28 22:27:19 +0100 |
| commit | ecc7290e718e927b47890b215ef8af6879a85f16 (patch) | |
| tree | 297f916604467f62e187772b0675873450c66794 /kde-apps | |
| parent | media-sound/umurmur: Fix DOC_CONTENTS location of umurmur.conf. (diff) | |
| download | gentoo-ecc7290e718e927b47890b215ef8af6879a85f16.tar.gz gentoo-ecc7290e718e927b47890b215ef8af6879a85f16.tar.bz2 gentoo-ecc7290e718e927b47890b215ef8af6879a85f16.zip | |
kde-apps/libktnef: Fix directory traversal
https://www.kde.org/info/security/advisory-20170227-1.txt
Package-Manager: Portage-2.3.3, Repoman-2.3.1
Diffstat (limited to 'kde-apps')
| -rw-r--r-- | kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch | 53 | ||||
| -rw-r--r-- | kde-apps/libktnef/libktnef-16.12.2-r1.ebuild | 24 |
2 files changed, 77 insertions, 0 deletions
diff --git a/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch b/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch new file mode 100644 index 000000000000..d41b4f9c56f8 --- /dev/null +++ b/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch @@ -0,0 +1,53 @@ +commit 4ff38aa15487d69021aacad4b078500f77fb4ae8 +Author: Albert Astals Cid <aacid@kde.org> +Date: Mon Feb 27 19:03:49 2017 +0100 + + Fix Directory Traversal problem in ktnef + + Reported by Eric Sesterhenn + + Patch reviewed by Laurent Montel + + CCMAIL: eric.sesterhenn@x41-dsec.de + +diff --git a/src/ktnefparser.cpp b/src/ktnefparser.cpp +index ce40e40..0678003 100644 +--- a/src/ktnefparser.cpp ++++ b/src/ktnefparser.cpp +@@ -41,7 +41,9 @@ + + #include <QtCore/QDateTime> + #include <QtCore/QDataStream> ++#include <QtCore/QDir> + #include <QtCore/QFile> ++#include <QtCore/QFileInfo> + #include <QtCore/QVariant> + #include <QtCore/QList> + +@@ -446,7 +448,9 @@ bool KTNEFParser::extractFile(const QString &filename) const + bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att, + const QString &dirname) + { +- QString filename = dirname + QLatin1Char('/'); ++ const QString destDir(QDir(dirname).absolutePath()); // get directory path without any "." or ".." ++ ++ QString filename = destDir + QLatin1Char('/'); + if (!att->fileName().isEmpty()) { + filename += att->fileName(); + } else { +@@ -462,6 +466,15 @@ bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att, + if (!device_->seek(att->offset())) { + return false; + } ++ ++ const QFileInfo fi(filename); ++ if (!fi.absoluteFilePath().startsWith(destDir)) { ++ qWarning() << "Attempted extract into" << fi.absoluteFilePath() ++ << "which is outside of the extraction root folder" << destDir << "." ++ << "Changing export of contained files to extraction root folder."; ++ filename = destDir + QLatin1Char('/') + fi.fileName(); ++ } ++ + QSaveFile outfile(filename); + if (!outfile.open(QIODevice::WriteOnly)) { + return false; diff --git a/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild b/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild new file mode 100644 index 000000000000..e759f310c122 --- /dev/null +++ b/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild @@ -0,0 +1,24 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +KDE_TEST="true" +KMNAME="ktnef" +inherit kde5 + +DESCRIPTION="Library for handling TNEF data" +LICENSE="GPL-2+" +KEYWORDS="~amd64 ~x86" +IUSE="" + +DEPEND=" + $(add_frameworks_dep kdelibs4support) + $(add_frameworks_dep ki18n) + $(add_kdeapps_dep kcalcore) + $(add_kdeapps_dep kcalutils) + $(add_kdeapps_dep kcontacts) +" +RDEPEND="${DEPEND}" + +PATCHES=( "${FILESDIR}/${P}-directory-traversal.patch" ) |