commit karchive for openSUSE:Factory

h_root Fri, 15 Jul 2016 03:32:03 -0700

Hello community,

here is the log from the commit of package karchive for openSUSE:Factory 
checked in at 2016-07-15 12:31:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/karchive (Old)
 and      /work/SRC/openSUSE:Factory/.karchive.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "karchive"

Changes:
--------
--- /work/SRC/openSUSE:Factory/karchive/karchive.changes        2016-07-03 
12:20:20.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.karchive.new/karchive.changes   2016-07-15 
12:31:51.000000000 +0200
@@ -1,0 +2,10 @@
+Wed Jul  6 15:01:52 UTC 2016 - [email protected]
+
+- Update to 5.24.0
+  * Ensure extracting an archive does not install files outside
+    the extraction folder, for security reasons. Instead, extract
+    such files to the root of the extraction folder.
+  * For more details please see:
+    https://www.kde.org/announcements/kde-frameworks-5.24.0.php
+
+-------------------------------------------------------------------

Old:
----
  karchive-5.23.0.tar.xz

New:
----
  karchive-5.24.0.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ karchive.spec ++++++
--- /var/tmp/diff_new_pack.RcMuTb/_old  2016-07-15 12:31:52.000000000 +0200
+++ /var/tmp/diff_new_pack.RcMuTb/_new  2016-07-15 12:31:52.000000000 +0200
@@ -17,9 +17,9 @@
 
 
 %define lname   libKF5Archive5
-%define _tar_path 5.23
+%define _tar_path 5.24
 Name:           karchive
-Version:        5.23.0
+Version:        5.24.0
 Release:        0
 BuildRequires:  cmake >= 2.8.12
 BuildRequires:  extra-cmake-modules >= %{_tar_path}

++++++ karchive-5.23.0.tar.xz -> karchive-5.24.0.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/karchive-5.23.0/CMakeLists.txt 
new/karchive-5.24.0/CMakeLists.txt
--- old/karchive-5.23.0/CMakeLists.txt  2016-06-06 11:25:32.000000000 +0200
+++ new/karchive-5.24.0/CMakeLists.txt  2016-07-02 10:40:42.000000000 +0200
@@ -3,7 +3,7 @@
 project(KArchive)
 
 include(FeatureSummary)
-find_package(ECM 5.23.0  NO_MODULE)
+find_package(ECM 5.24.0  NO_MODULE)
 set_package_properties(ECM PROPERTIES TYPE REQUIRED DESCRIPTION "Extra CMake 
Modules." URL 
"https://projects.kde.org/projects/kdesupport/extra-cmake-modules";)
 feature_summary(WHAT REQUIRED_PACKAGES_NOT_FOUND 
FATAL_ON_MISSING_REQUIRED_PACKAGES)
 
@@ -49,7 +49,7 @@
 include(ECMSetupVersion)
 include(ECMGenerateHeaders)
 
-set(KF5_VERSION "5.23.0") # handled by release scripts
+set(KF5_VERSION "5.24.0") # handled by release scripts
 
 ecm_setup_version(${KF5_VERSION}
     VARIABLE_PREFIX KARCHIVE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/karchive-5.23.0/autotests/karchivetest.cpp 
new/karchive-5.24.0/autotests/karchivetest.cpp
--- old/karchive-5.23.0/autotests/karchivetest.cpp      2016-06-06 
11:25:32.000000000 +0200
+++ new/karchive-5.24.0/autotests/karchivetest.cpp      2016-07-02 
10:40:42.000000000 +0200
@@ -760,6 +760,24 @@
 
     QCOMPARE(listing.count(), 3);
 }
+
+void KArchiveTest::testTarIgnoreRelativePathOutsideArchive()
+{
+    // This test extracts a Tar archive that contains a relative path "../foo" 
pointing
+    // outside of the archive directory. For security reasons extractions 
should only
+    // be allowed within the extracted directory as long as not specifically 
asked.
+
+    KTar 
tar(QFINDTESTDATA(QLatin1String("tar_relative_path_outside_archive.tar.bz2")));
+    QVERIFY(tar.open(QIODevice::ReadOnly));
+
+    const KArchiveDirectory *dir = tar.directory();
+    QTemporaryDir tmpDir;
+    const QString dirName = tmpDir.path() + '/';
+
+    QVERIFY(dir->copyTo(dirName));
+    QVERIFY(!QFile::exists(dirName + "../foo"));
+    QVERIFY(QFile::exists(dirName + "/foo"));
+}
 ///
 
 static const char s_zipFileName[] = "karchivetest.zip";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/karchive-5.23.0/autotests/karchivetest.h 
new/karchive-5.24.0/autotests/karchivetest.h
--- old/karchive-5.23.0/autotests/karchivetest.h        2016-06-06 
11:25:32.000000000 +0200
+++ new/karchive-5.24.0/autotests/karchivetest.h        2016-07-02 
10:40:42.000000000 +0200
@@ -76,6 +76,7 @@
     void testTarDirectoryForgotten();
     void testTarRootDir();
     void testTarDirectoryTwice();
+    void testTarIgnoreRelativePathOutsideArchive();
 
     void testCreateZip();
     void testCreateZipError();
Files old/karchive-5.23.0/autotests/tar_relative_path_outside_archive.tar.bz2 
and new/karchive-5.24.0/autotests/tar_relative_path_outside_archive.tar.bz2 
differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/karchive-5.23.0/metainfo.yaml 
new/karchive-5.24.0/metainfo.yaml
--- old/karchive-5.23.0/metainfo.yaml   2016-06-06 11:25:32.000000000 +0200
+++ new/karchive-5.24.0/metainfo.yaml   2016-07-02 10:40:42.000000000 +0200
@@ -3,7 +3,10 @@
 tier: 1
 type: functional
 platforms:
-    - name: All
+    - name: Linux
+    - name: Windows
+    - name: MacOSX
+    - name: Android
 portingAid: false
 deprecated: false
 release: true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/karchive-5.23.0/src/karchive.cpp 
new/karchive-5.24.0/src/karchive.cpp
--- old/karchive-5.23.0/src/karchive.cpp        2016-06-06 11:25:32.000000000 
+0200
+++ new/karchive-5.24.0/src/karchive.cpp        2016-07-02 10:40:42.000000000 
+0200
@@ -841,6 +841,7 @@
 bool KArchiveDirectory::copyTo(const QString &dest, bool recursiveCopy) const
 {
     QDir root;
+    const QString destDir(QDir(dest).absolutePath()); // get directory path 
without any "." or ".."
 
     QList<const KArchiveFile *> fileList;
     QMap<qint64, QString> fileToDir;
@@ -850,10 +851,20 @@
     QStack<QString> dirNameStack;
 
     dirStack.push(this);       // init stack at current directory
-    dirNameStack.push(dest);   // ... with given path
+    dirNameStack.push(destDir);   // ... with given path
     do {
         const KArchiveDirectory *curDir = dirStack.pop();
-        const QString curDirName = dirNameStack.pop();
+
+        // extract only to specified folder if it is located within archive's 
extraction folder
+        // otherwise put file under root position in extraction folder
+        QString curDirName = dirNameStack.pop();
+        if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
+            qWarning() << "Attempted export into folder" << curDirName
+                << "which is outside of the extraction root folder" << destDir 
<< "."
+                << "Changing export of contained files to extraction root 
folder.";
+            curDirName = destDir;
+        }
+
         if (!root.mkpath(curDirName)) {
             return false;
         }

commit karchive for openSUSE:Factory

Reply via email to