head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.4 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.2 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.1.0.4 pkgsrc-2011Q4-base:1.1 pkgsrc-2011Q3:1.1.0.2; locks; strict; comment @// @; 1.2 date 2012.03.20.06.35.27; author markd; state dead; branches; next 1.1; 1.1 date 2011.11.20.02.10.58; author markd; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2011.11.20.02.10.58; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2011.11.20.14.42.05; author tron; state Exp; branches; next ; desc @@ 1.2 log @Update to KDE SC 4.8.0 remove kdeutils4 add kcharselect, kremotecontrol, superkaramba, sweeper @ text @$NetBSD: patch-ark_part_part.cpp,v 1.1 2011/11/20 02:10:58 markd Exp $ commit 6f6c0b18b3569ae2b5b6f65dc7ea626a8b7c03c0 Author: Raphael Kubo da Costa Date: Mon Oct 17 20:40:01 2011 -0200 Fix directory traversal issue (CVE-2011-2725). Tim Brown from Nth Dimension noticed a possible traversal issue where the previewer dialog would show (and then remove) the wrong file when a maliciously crafted archive had a file previewed. We now do the same thing as infozip and filter out "../" from the paths being previewed. diff --git a/part/part.cpp b/part/part.cpp index c213f01..b034fbf 100644 --- ark/part/part.cpp +++ ark/part/part.cpp @@@@ -504,8 +504,15 @@@@ void Part::slotPreviewExtracted(KJob *job) if (!job->error()) { const ArchiveEntry& entry = m_model->entryForIndex(m_view->selectionModel()->currentIndex()); - const QString fullName = - m_previewDir->name() + '/' + entry[ FileName ].toString(); + + QString fullName = + m_previewDir->name() + QLatin1Char('/') + entry[ FileName ].toString(); + + // Make sure a maliciously crafted archive with parent folders named ".." do + // not cause the previewed file path to be located outside the temporary + // directory, resulting in a directory traversal issue. + fullName.remove(QLatin1String("../")); + ArkViewer::view(fullName, widget()); } else { KMessageBox::error(widget(), job->errorString()); @ 1.1 log @Fix directory traversal issue (CVE-2011-2725). @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-ark_part_part.cpp was added on branch pkgsrc-2011Q3 on 2011-11-20 14:42:05 +0000 @ text @d1 37 @ 1.1.2.2 log @Pullup ticket #3614 - requested by markd misc/kdeutils4: security patch Revisions pulled up: - misc/kdeutils4/Makefile 1.27 via patch - misc/kdeutils4/distinfo 1.15 - misc/kdeutils4/patches/patch-ark_part_part.cpp 1.1 --- Module Name: pkgsrc Committed By: markd Date: Sun Nov 20 02:10:58 UTC 2011 Modified Files: pkgsrc/misc/kdeutils4: Makefile distinfo Added Files: pkgsrc/misc/kdeutils4/patches: patch-ark_part_part.cpp Log Message: Fix directory traversal issue (CVE-2011-2725). @ text @a0 37 $NetBSD$ commit 6f6c0b18b3569ae2b5b6f65dc7ea626a8b7c03c0 Author: Raphael Kubo da Costa Date: Mon Oct 17 20:40:01 2011 -0200 Fix directory traversal issue (CVE-2011-2725). Tim Brown from Nth Dimension noticed a possible traversal issue where the previewer dialog would show (and then remove) the wrong file when a maliciously crafted archive had a file previewed. We now do the same thing as infozip and filter out "../" from the paths being previewed. diff --git a/part/part.cpp b/part/part.cpp index c213f01..b034fbf 100644 --- ark/part/part.cpp +++ ark/part/part.cpp @@@@ -504,8 +504,15 @@@@ void Part::slotPreviewExtracted(KJob *job) if (!job->error()) { const ArchiveEntry& entry = m_model->entryForIndex(m_view->selectionModel()->currentIndex()); - const QString fullName = - m_previewDir->name() + '/' + entry[ FileName ].toString(); + + QString fullName = + m_previewDir->name() + QLatin1Char('/') + entry[ FileName ].toString(); + + // Make sure a maliciously crafted archive with parent folders named ".." do + // not cause the previewed file path to be located outside the temporary + // directory, resulting in a directory traversal issue. + fullName.remove(QLatin1String("../")); + ArkViewer::view(fullName, widget()); } else { KMessageBox::error(widget(), job->errorString()); @