Fix directory traversal issue (CVE-2011-2725).

2011-11-20 02:10:58 +00:00 · 2011-11-20 02:10:58 +00:00 · 0f053b07ab
commit 0f053b07ab
parent b991a71c68
3 changed files with 41 additions and 3 deletions
--- a/misc/kdeutils4/Makefile
+++ b/misc/kdeutils4/Makefile
@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.26 2011/11/01 06:50:28 sbd Exp $
+# $NetBSD: Makefile,v 1.27 2011/11/20 02:10:58 markd Exp $

 DISTNAME=	kdeutils-${_KDE_VERSION}
-PKGREVISION=	6
+PKGREVISION=	7
 CATEGORIES=	misc
 COMMENT=	Utilities for the KDE integrated X11 desktop

--- a/misc/kdeutils4/distinfo
+++ b/misc/kdeutils4/distinfo
@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.14 2011/01/23 07:55:14 markd Exp $
+$NetBSD: distinfo,v 1.15 2011/11/20 02:10:58 markd Exp $

 SHA1 (kdeutils-4.5.5.tar.bz2) = f3bf2bd808e4540f6666cb9b26471a90f2c0135e
 RMD160 (kdeutils-4.5.5.tar.bz2) = 9a381df068d99b13f96ce9ef2e7f479fd453aaa4
 Size (kdeutils-4.5.5.tar.bz2) = 3818433 bytes
+SHA1 (patch-ark_part_part.cpp) = 83fb376f59c25530b3155fc1ba54f012b3c2fbbe
--- a/misc/kdeutils4/patches/patch-ark_part_part.cpp
+++ b/misc/kdeutils4/patches/patch-ark_part_part.cpp
@ -0,0 +1,37 @@
+$NetBSD: patch-ark_part_part.cpp,v 1.1 2011/11/20 02:10:58 markd Exp $
+
+commit 6f6c0b18b3569ae2b5b6f65dc7ea626a8b7c03c0
+Author: Raphael Kubo da Costa <rakuco@FreeBSD.org>
+Date:   Mon Oct 17 20:40:01 2011 -0200
+
+    Fix directory traversal issue (CVE-2011-2725).
+    
+    Tim Brown from Nth Dimension noticed a possible traversal issue where
+    the previewer dialog would show (and then remove) the wrong file when
+    a maliciously crafted archive had a file previewed.
+    
+    We now do the same thing as infozip and filter out "../" from the
+    paths being previewed.
+
+diff --git a/part/part.cpp b/part/part.cpp
+index c213f01..b034fbf 100644
+--- ark/part/part.cpp
+++ ark/part/part.cpp
+@@ -504,8 +504,15 @@ void Part::slotPreviewExtracted(KJob *job)
+     if (!job->error()) {
+         const ArchiveEntry& entry =
+             m_model->entryForIndex(m_view->selectionModel()->currentIndex());
+-        const QString fullName =
+-            m_previewDir->name() + '/' + entry[ FileName ].toString();
+
+        QString fullName =
+            m_previewDir->name() + QLatin1Char('/') + entry[ FileName ].toString();
+
+        // Make sure a maliciously crafted archive with parent folders named ".." do
+        // not cause the previewed file path to be located outside the temporary
+        // directory, resulting in a directory traversal issue.
+        fullName.remove(QLatin1String("../"));
+
+         ArkViewer::view(fullName, widget());
+     } else {
+         KMessageBox::error(widget(), job->errorString());