Romain, thanks for the patches. I am reviewing them now.
Felix, you stated 'The previous patch still allows up traversal at the
beginning, e.g. "../foo/bar".' In bug #578856 (the original bug for
CVE-2010-1000) I created a metalink file that used '<file
name="../../../tmp/secunia.png">', which as you can see specifically tested if
'../' was at the beginning of the string. In fact, I just tested on maverick
with the metalink file I provided and when I try to open it, I see kget outputs:
kget(3314): Name attribute of Metalink::File contains directory traversal
directives: "../../../tmp/secunia.png"
AFAICS, '../' at the beginning is covered. This is the code in question that
was changed:
if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") ||
name.endsWith("/.."))
Maybe I am blind, but I don't see what the problem is (I also tried
metalink files with different combinations of '../' in the path). All I
can see is that upstream check if the target file is a directory, and no
longer allows '.' in the name. Can you give a string that demonstrates a
file traversal/overwrite with the unpatched code?
** Changed in: kdenetwork (Ubuntu Karmic)
Status: New => Incomplete
** Changed in: kdenetwork (Ubuntu Lucid)
Status: New => Incomplete
** Changed in: kdenetwork (Ubuntu Maverick)
Status: New => Incomplete
** Changed in: kdenetwork (Ubuntu Karmic)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: kdenetwork (Ubuntu Lucid)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: kdenetwork (Ubuntu Maverick)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kdenetwork in Ubuntu.
https://bugs.launchpad.net/bugs/757526
Title:
Updated fix for CVE-2010-1000
--
kubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
