Hi Maximiliano, 2016-07-25 15:41 GMT+02:00 Bálint Réczey <[email protected]>: > Hi, > > 2016-07-19 23:12 GMT+02:00 Brian May <[email protected]>: >> Maximiliano Curia <[email protected]> writes: >> >>> I just did the upload to unstable, with the karchive fix from upstream and >>> an >>> modified version of that one for kde4libs. The second one needs some test, >>> sadly adding the (binary) test file used in karchive is a bit of a burden.
Apparently one line, the actual fix is missing from the patch.
The warning is issued, but the wrong path is still used in unstable:
cat debian/patches/cve-2016-6232.patch
...
const KArchiveDirectory* curDir = dirStack.pop();
- const QString curDirName = dirNameStack.pop();
+
+ // extract only to specified folder if it is located within
archive's extraction folder
+ // otherwise put file under root position in extraction folder
+ QString curDirName = dirNameStack.pop();
+ if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
+ qWarning() << "Attempted export into folder" << curDirName
+ << "which is outside of the extraction root folder" <<
destDir << "."
+ << "Changing export of contained files to extraction root
folder.";
+ }
root.mkdir(curDirName);
...
In the original fix there is an additional line right after the if ( ...:
https://git.reviewboard.kde.org/r/128185/diff/2#3
...
+ if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
+ curDirName = destDir;
...
I have tested the incomplete fix with the following little program:
vagrant@debian-wheezy:~/extract/test$ cat kextract.cpp
#include <karchive.h>
#include <ktar.h>
int main (int argc, char * argv[]) {
if (argc < 3) exit (1);
KTar tar(argv[1]);
tar.open(QIODevice::ReadOnly);
const KArchiveDirectory *dir = tar.directory();
dir->copyTo(argv[2]);
return 0;
}
vagrant@debian-wheezy:~/extract/test$ rm ../foo
vagrant@debian-wheezy:~/extract/test$ g++ -I/usr/include/qt4 -lkdecore
kextract.cpp
vagrant@debian-wheezy:~/extract/test$ cat ../foo
cat: ../foo: No such file or directory
vagrant@debian-wheezy:~/extract/test$ ./a.out
tar_relative_path_outside_archive.tar.bz2 ./
bzDecompress returned 4
KBzip2Filter::uncompress 1
Attempted export into folder "/home/vagrant/extract/test/.." which is
outside of the extraction root folder "/home/vagrant/extract/test" .
Changing export of contained files to extraction root folder.
vagrant@debian-wheezy:~/extract/test$ cat ../foo
asdf
I have built an update for wheezy with the missing line added.
Please find the proposed diff attached which I plan uploading for Wheezy
on Wednesday.
The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/
Cheers,
Balint
diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog --- kde4libs-4.8.4/debian/changelog 2014-08-07 22:44:05.000000000 +0200 +++ kde4libs-4.8.4/debian/changelog 2016-07-25 15:13:22.000000000 +0200 @@ -1,3 +1,10 @@ +kde4libs (4:4.8.4-4+deb7u2) wheezy-security; urgency=medium + + * Add new patch: cve-2016-6232.patch + - Fixes: CVE-2016-6232 + + -- Balint Reczey <[email protected]> Mon, 25 Jul 2016 15:12:35 +0200 + kde4libs (4:4.8.4-4+deb7u1) wheezy-security; urgency=medium * Fix kauth authentication bypass. (Closes: #755814) diff -Nru kde4libs-4.8.4/debian/patches/cve-2016-6232.patch kde4libs-4.8.4/debian/patches/cve-2016-6232.patch --- kde4libs-4.8.4/debian/patches/cve-2016-6232.patch 1970-01-01 01:00:00.000000000 +0100 +++ kde4libs-4.8.4/debian/patches/cve-2016-6232.patch 2016-07-25 19:58:12.000000000 +0200 @@ -0,0 +1,50 @@ +From aa4d7b23ca046daeffd0695ee519315d5d6ae1bb Mon Sep 17 00:00:00 2001 +From: Debian/Kubuntu Qt/KDE Maintainers <[email protected]> +Date: Tue, 19 Jul 2016 10:38:59 +0200 +Subject: [PATCH] Ensure extraction location to be in subfolder + +Behavior change: Switch to Tar's default behavior to avoid extraction +to arbitrary system locations outside of extraction folder. Instead, +extract such files to root location in extraction folder. + +REVIEW: 128185 +Author: Andreas Cord-Landwehr <[email protected]> +Taken from karchive commit 0cb243f64eef45565741b27364cece7d5c349c37 +the test was dropped in this patch as it depends on a binary file. +Fixes: CVE-2016-6232 +--- + kdecore/io/karchive.cpp | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/kdecore/io/karchive.cpp ++++ b/kdecore/io/karchive.cpp +@@ -778,6 +778,7 @@ + void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const + { + QDir root; ++ const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".." + + QList<const KArchiveFile*> fileList; + QMap<qint64, QString> fileToDir; +@@ -787,10 +788,19 @@ + QStack<QString> dirNameStack; + + dirStack.push( this ); // init stack at current directory +- dirNameStack.push( dest ); // ... with given path ++ dirNameStack.push(destDir); // ... with given path + do { + const KArchiveDirectory* curDir = dirStack.pop(); +- const QString curDirName = dirNameStack.pop(); ++ ++ // extract only to specified folder if it is located within archive's extraction folder ++ // otherwise put file under root position in extraction folder ++ QString curDirName = dirNameStack.pop(); ++ if (!QDir(curDirName).absolutePath().startsWith(destDir)) { ++ curDirName = destDir; ++ qWarning() << "Attempted export into folder" << curDirName ++ << "which is outside of the extraction root folder" << destDir << "." ++ << "Changing export of contained files to extraction root folder."; ++ } + root.mkdir(curDirName); + + const QStringList dirEntries = curDir->entries(); diff -Nru kde4libs-4.8.4/debian/patches/series kde4libs-4.8.4/debian/patches/series --- kde4libs-4.8.4/debian/patches/series 2014-08-07 22:44:05.000000000 +0200 +++ kde4libs-4.8.4/debian/patches/series 2016-07-25 15:12:25.000000000 +0200 @@ -27,3 +27,4 @@ python3-support-bytecode.patch fix-copying-of-files-with-extended-ACLs.patch CVE-2014-5033.patch +cve-2016-6232.patch
signature.asc
Description: OpenPGP digital signature
