[gentoo-commits] repo/gentoo:master commit in: kde-apps/libktnef/files/, kde-apps/libktnef/ - gentoo-commits

From:	Johannes Huber <johu@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: kde-apps/libktnef/files/, kde-apps/libktnef/
Date:	Tue, 28 Feb 2017 21:28:06
Message-Id:	`1488317239.ecc7290e718e927b47890b215ef8af6879a85f16.johu@gentoo`

1

commit:     ecc7290e718e927b47890b215ef8af6879a85f16

2

Author:     Johannes Huber <johu <AT> gentoo <DOT> org>

3

AuthorDate: Tue Feb 28 21:26:52 2017 +0000

4

Commit:     Johannes Huber <johu <AT> gentoo <DOT> org>

5

CommitDate: Tue Feb 28 21:27:19 2017 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecc7290e

7

8

kde-apps/libktnef: Fix directory traversal

9

10

https://www.kde.org/info/security/advisory-20170227-1.txt

11

12

Package-Manager: Portage-2.3.3, Repoman-2.3.1

13

14

 .../libktnef-16.12.2-directory-traversal.patch     | 53 ++++++++++++++++++++++

15

 kde-apps/libktnef/libktnef-16.12.2-r1.ebuild       | 24 ++++++++++

16

 2 files changed, 77 insertions(+)

17

18

diff --git a/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch b/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch

19

new file mode 100644

20

index 00000000000..d41b4f9c56f

21

--- /dev/null

22

+++ b/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch

23

@@ -0,0 +1,53 @@

24

+commit 4ff38aa15487d69021aacad4b078500f77fb4ae8

25

+Author: Albert Astals Cid <aacid@×××.org>

26

+Date:   Mon Feb 27 19:03:49 2017 +0100

27

+

28

+    Fix Directory Traversal problem in ktnef

29

+

30

+    Reported by Eric Sesterhenn

31

+

32

+    Patch reviewed by Laurent Montel

33

+

34

+    CCMAIL: eric.sesterhenn@××××××××.de

35

+

36

+diff --git a/src/ktnefparser.cpp b/src/ktnefparser.cpp

37

+index ce40e40..0678003 100644

38

+--- a/src/ktnefparser.cpp

39

++++ b/src/ktnefparser.cpp

40

+@@ -41,7 +41,9 @@

41

+

42

+ #include <QtCore/QDateTime>

43

+ #include <QtCore/QDataStream>

44

++#include <QtCore/QDir>

45

+ #include <QtCore/QFile>

46

++#include <QtCore/QFileInfo>

47

+ #include <QtCore/QVariant>

48

+ #include <QtCore/QList>

49

+

50

+@@ -446,7 +448,9 @@ bool KTNEFParser::extractFile(const QString &filename) const

51

+ bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att,

52

+         const QString &dirname)

53

+ {

54

+-    QString filename = dirname + QLatin1Char('/');

55

++    const QString destDir(QDir(dirname).absolutePath()); // get directory path without any "." or ".."

56

++

57

++    QString filename = destDir + QLatin1Char('/');

58

+     if (!att->fileName().isEmpty()) {

59

+         filename += att->fileName();

60

+     } else {

61

+@@ -462,6 +466,15 @@ bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att,

62

+     if (!device_->seek(att->offset())) {

63

+         return false;

64

+     }

65

++

66

++    const QFileInfo fi(filename);

67

++    if (!fi.absoluteFilePath().startsWith(destDir)) {

68

++        qWarning() << "Attempted extract into" << fi.absoluteFilePath()

69

++                   << "which is outside of the extraction root folder" << destDir << "."

70

++                   << "Changing export of contained files to extraction root folder.";

71

++        filename = destDir + QLatin1Char('/') + fi.fileName();

72

++    }

73

++

74

+     QSaveFile outfile(filename);

75

+     if (!outfile.open(QIODevice::WriteOnly)) {

76

+         return false;

77

78

diff --git a/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild b/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild

79

new file mode 100644

80

index 00000000000..e759f310c12

81

--- /dev/null

82

+++ b/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild

83

@@ -0,0 +1,24 @@

84

+# Copyright 1999-2017 Gentoo Foundation

85

+# Distributed under the terms of the GNU General Public License v2

86

+

87

+EAPI=6

88

+

89

+KDE_TEST="true"

90

+KMNAME="ktnef"

91

+inherit kde5

92

+

93

+DESCRIPTION="Library for handling TNEF data"

94

+LICENSE="GPL-2+"

95

+KEYWORDS="~amd64 ~x86"

96

+IUSE=""

97

+

98

+DEPEND="

99

+	$(add_frameworks_dep kdelibs4support)

100

+	$(add_frameworks_dep ki18n)

101

+	$(add_kdeapps_dep kcalcore)

102

+	$(add_kdeapps_dep kcalutils)

103

+	$(add_kdeapps_dep kcontacts)

104

+"

105

+RDEPEND="${DEPEND}"

106

+

107

+PATCHES=( "${FILESDIR}/${P}-directory-traversal.patch" )

1	commit: ecc7290e718e927b47890b215ef8af6879a85f16
2	Author: Johannes Huber <johu <AT> gentoo <DOT> org>
3	AuthorDate: Tue Feb 28 21:26:52 2017 +0000
4	Commit: Johannes Huber <johu <AT> gentoo <DOT> org>
5	CommitDate: Tue Feb 28 21:27:19 2017 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecc7290e
7
8	kde-apps/libktnef: Fix directory traversal
9
10	https://www.kde.org/info/security/advisory-20170227-1.txt
11
12	Package-Manager: Portage-2.3.3, Repoman-2.3.1
13
14	.../libktnef-16.12.2-directory-traversal.patch \| 53 ++++++++++++++++++++++
15	kde-apps/libktnef/libktnef-16.12.2-r1.ebuild \| 24 ++++++++++
16	2 files changed, 77 insertions(+)
17
18	diff --git a/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch b/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch
19	new file mode 100644
20	index 00000000000..d41b4f9c56f
21	--- /dev/null
22	+++ b/kde-apps/libktnef/files/libktnef-16.12.2-directory-traversal.patch
23	@@ -0,0 +1,53 @@
24	+commit 4ff38aa15487d69021aacad4b078500f77fb4ae8
25	+Author: Albert Astals Cid <aacid@×××.org>
26	+Date: Mon Feb 27 19:03:49 2017 +0100
27	+
28	+ Fix Directory Traversal problem in ktnef
29	+
30	+ Reported by Eric Sesterhenn
31	+
32	+ Patch reviewed by Laurent Montel
33	+
34	+ CCMAIL: eric.sesterhenn@××××××××.de
35	+
36	+diff --git a/src/ktnefparser.cpp b/src/ktnefparser.cpp
37	+index ce40e40..0678003 100644
38	+--- a/src/ktnefparser.cpp
39	++++ b/src/ktnefparser.cpp
40	+@@ -41,7 +41,9 @@
41	+
42	+ #include <QtCore/QDateTime>
43	+ #include <QtCore/QDataStream>
44	++#include <QtCore/QDir>
45	+ #include <QtCore/QFile>
46	++#include <QtCore/QFileInfo>
47	+ #include <QtCore/QVariant>
48	+ #include <QtCore/QList>
49	+
50	+@@ -446,7 +448,9 @@ bool KTNEFParser::extractFile(const QString &filename) const
51	+ bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att,
52	+ const QString &dirname)
53	+ {
54	+- QString filename = dirname + QLatin1Char('/');
55	++ const QString destDir(QDir(dirname).absolutePath()); // get directory path without any "." or ".."
56	++
57	++ QString filename = destDir + QLatin1Char('/');
58	+ if (!att->fileName().isEmpty()) {
59	+ filename += att->fileName();
60	+ } else {
61	+@@ -462,6 +466,15 @@ bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att,
62	+ if (!device_->seek(att->offset())) {
63	+ return false;
64	+ }
65	++
66	++ const QFileInfo fi(filename);
67	++ if (!fi.absoluteFilePath().startsWith(destDir)) {
68	++ qWarning() << "Attempted extract into" << fi.absoluteFilePath()
69	++ << "which is outside of the extraction root folder" << destDir << "."
70	++ << "Changing export of contained files to extraction root folder.";
71	++ filename = destDir + QLatin1Char('/') + fi.fileName();
72	++ }
73	++
74	+ QSaveFile outfile(filename);
75	+ if (!outfile.open(QIODevice::WriteOnly)) {
76	+ return false;
77
78	diff --git a/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild b/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild
79	new file mode 100644
80	index 00000000000..e759f310c12
81	--- /dev/null
82	+++ b/kde-apps/libktnef/libktnef-16.12.2-r1.ebuild
83	@@ -0,0 +1,24 @@
84	+# Copyright 1999-2017 Gentoo Foundation
85	+# Distributed under the terms of the GNU General Public License v2
86	+
87	+EAPI=6
88	+
89	+KDE_TEST="true"
90	+KMNAME="ktnef"
91	+inherit kde5
92	+
93	+DESCRIPTION="Library for handling TNEF data"
94	+LICENSE="GPL-2+"
95	+KEYWORDS="~amd64 ~x86"
96	+IUSE=""
97	+
98	+DEPEND="
99	+ $(add_frameworks_dep kdelibs4support)
100	+ $(add_frameworks_dep ki18n)
101	+ $(add_kdeapps_dep kcalcore)
102	+ $(add_kdeapps_dep kcalutils)
103	+ $(add_kdeapps_dep kcontacts)
104	+"
105	+RDEPEND="${DEPEND}"
106	+
107	+PATCHES=( "${FILESDIR}/${P}-directory-traversal.patch" )

Gentoo Archives: gentoo-commits