kde-apps/libktnef: Fix directory traversal

author Johannes Huber <johu@gentoo.org>

Tue, 28 Feb 2017 21:26:52 +0000 (22:26 +0100)

committer Johannes Huber <johu@gentoo.org>

Tue, 28 Feb 2017 21:27:19 +0000 (22:27 +0100)
author Johannes Huber <johu@gentoo.org>
Tue, 28 Feb 2017 21:26:52 +0000 (22:26 +0100)
committer Johannes Huber <johu@gentoo.org>
Tue, 28 Feb 2017 21:27:19 +0000 (22:27 +0100)
diff --git a/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch b/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch

new file mode 100644 (file)

index 0000000..d41b4f9
--- /dev/null
+++ b/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch
@@ -0,0 +1,53 @@
+commit 4ff38aa15487d69021aacad4b078500f77fb4ae8
+Author: Albert Astals Cid <aacid@kde.org>
+Date:   Mon Feb 27 19:03:49 2017 +0100
+
+    Fix Directory Traversal problem in ktnef
+    
+    Reported by Eric Sesterhenn
+    
+    Patch reviewed by Laurent Montel
+    
+    CCMAIL: eric.sesterhenn@x41-dsec.de
+
+diff --git a/src/ktnefparser.cpp b/src/ktnefparser.cpp
+index ce40e40..0678003 100644
+--- a/src/ktnefparser.cpp
++++ b/src/ktnefparser.cpp
+@@ -41,7 +41,9 @@
+ 
+ #include <QtCore/QDateTime>
+ #include <QtCore/QDataStream>
++#include <QtCore/QDir>
+ #include <QtCore/QFile>
++#include <QtCore/QFileInfo>
+ #include <QtCore/QVariant>
+ #include <QtCore/QList>
+ 
+@@ -446,7 +448,9 @@ bool KTNEFParser::extractFile(const QString &filename) const
+ bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att,
+         const QString &dirname)
+ {
+-    QString filename = dirname + QLatin1Char('/');
++    const QString destDir(QDir(dirname).absolutePath()); // get directory path without any "." or ".."
++
++    QString filename = destDir + QLatin1Char('/');
+     if (!att->fileName().isEmpty()) {
+         filename += att->fileName();
+     } else {
+@@ -462,6 +466,15 @@ bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att,
+     if (!device_->seek(att->offset())) {
+         return false;
+     }
++
++    const QFileInfo fi(filename);
++    if (!fi.absoluteFilePath().startsWith(destDir)) {
++        qWarning() << "Attempted extract into" << fi.absoluteFilePath()
++                   << "which is outside of the extraction root folder" << destDir << "."
++                   << "Changing export of contained files to extraction root folder.";
++        filename = destDir + QLatin1Char('/') + fi.fileName();
++    }
++
+     QSaveFile outfile(filename);
+     if (!outfile.open(QIODevice::WriteOnly)) {
+         return false;
diff --git a/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild b/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild

new file mode 100644 (file)

index 0000000..e759f31
--- /dev/null
+++ b/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild
@@ -0,0 +1,24 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+KDE_TEST="true"
+KMNAME="ktnef"
+inherit kde5
+
+DESCRIPTION="Library for handling TNEF data"
+LICENSE="GPL-2+"
+KEYWORDS="~amd64 ~x86"
+IUSE=""
+
+DEPEND="
+       $(add_frameworks_dep kdelibs4support)
+       $(add_frameworks_dep ki18n)
+       $(add_kdeapps_dep kcalcore)
+       $(add_kdeapps_dep kcalutils)
+       $(add_kdeapps_dep kcontacts)
+"
+RDEPEND="${DEPEND}"
+
+PATCHES=( "${FILESDIR}/${P}-directory-traversal.patch" )
author	Johannes Huber <johu@gentoo.org>
	Tue, 28 Feb 2017 21:26:52 +0000 (22:26 +0100)
committer	Johannes Huber <johu@gentoo.org>
	Tue, 28 Feb 2017 21:27:19 +0000 (22:27 +0100)
kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch	[new file with mode: 0644]	patch \| blob
kde-apps/libktnef/libktnef-16.12.2-r1.ebuild	[new file with mode: 0644]	patch \| blob