kdelibs: add security fix CVE-2016-6232.patch
Fixes CVE-2016-6232
This commit is contained in:
parent
182e04e9d0
commit
b0e980ddde
2 changed files with 33 additions and 1 deletions
32
srcpkgs/kdelibs/patches/CVE-2016-6232.patch
Normal file
32
srcpkgs/kdelibs/patches/CVE-2016-6232.patch
Normal file
|
@ -0,0 +1,32 @@
|
|||
--- kdecore/io/karchive.cpp
|
||||
+++ kdecore/io/karchive.cpp
|
||||
@@ -800,6 +800,7 @@
|
||||
void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const
|
||||
{
|
||||
QDir root;
|
||||
+ const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".."
|
||||
|
||||
QList<const KArchiveFile*> fileList;
|
||||
QMap<qint64, QString> fileToDir;
|
||||
@@ -809,10 +810,19 @@
|
||||
QStack<QString> dirNameStack;
|
||||
|
||||
dirStack.push( this ); // init stack at current directory
|
||||
- dirNameStack.push( dest ); // ... with given path
|
||||
+ dirNameStack.push(destDir); // ... with given path
|
||||
do {
|
||||
const KArchiveDirectory* curDir = dirStack.pop();
|
||||
- const QString curDirName = dirNameStack.pop();
|
||||
+
|
||||
+ // extract only to specified folder if it is located within archive's extraction folder
|
||||
+ // otherwise put file under root position in extraction folder
|
||||
+ QString curDirName = dirNameStack.pop();
|
||||
+ if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
|
||||
+ qWarning() << "Attempted export into folder" << curDirName
|
||||
+ << "which is outside of the extraction root folder" << destDir << "."
|
||||
+ << "Changing export of contained files to extraction root folder.";
|
||||
+ curDirName = destDir;
|
||||
+ }
|
||||
root.mkdir(curDirName);
|
||||
|
||||
const QStringList dirEntries = curDir->entries();
|
|
@ -1,7 +1,7 @@
|
|||
# Template file for 'kdelibs'
|
||||
pkgname=kdelibs
|
||||
version=4.14.3
|
||||
revision=2
|
||||
revision=3
|
||||
short_desc="KDE core libraries"
|
||||
maintainer="Juan RP <xtraeme@voidlinux.eu>"
|
||||
license="GPL-2.0, LGPL-2.1, FDL"
|
||||
|
|
Loading…
Reference in a new issue