Bug 989698 (CVE-2016-6232) - VUL-0: CVE-2016-6232: karchive: extraction of archives in arbitrary system locations
Summary: VUL-0: CVE-2016-6232: karchive: extraction of archives in arbitrary system lo...
Status: RESOLVED FIXED
Alias: CVE-2016-6232
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/171013/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-20 08:26 UTC by Andreas Stieger
Modified: 2017-07-12 15:20 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-20 08:26:34 UTC 
From http://seclists.org/oss-sec/2016/q3/79

===============
When using KNewStuff, one of the KDE Frameworks, to download and install files 
from the internet (e.g. a wallpaper, a plasma applet, etc.), it was possible 
to download a maliciously crafted archive file (e.g. tar.gz or zip) containing 
relative paths leading to outside the extraction directory (say 
"../../../.bashrc" for instance).

The fix has already been reviewed and submitted:
   https://git.reviewboard.kde.org/r/128185/
This fix is one layer below KNewStuff, in the framework called KArchive, which 
handles extraction of .tar.gz / .zip archives. KArchive now prevents files from 
being written outside of the extraction directory, in all cases.

Versions up to KArchive 5.23.0 are affected, the fix is in KArchive 5.24.0, 
which I released a week ago.
===============

https://git.reviewboard.kde.org/r/128185/
https://quickgit.kde.org/?p=karchive.git&a=commitdiff&h=0cb243f64eef45565741b27364cece7d5c349c37&hp=8f90e395240290566c5e0483dddeed3d8714c92a

Affected packages:
openSUSE:13.2:Update/karchive          5.11.0
openSUSE:Backports:SLE-12-SP1/karchive 5.20.0
openSUSE:Leap:42.1:Update/karchive     5.21.0

Already fixed:
openSUSE:Factory/karchive 5.24.0
KDE:Frameworks5/karchive 5.24.0

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1357410
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6232
http://seclists.org/oss-sec/2016/q3/79
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6232.html
Comment 1 Bernhard Wiedemann 2016-07-20 10:00:25 UTC 
This is an autogenerated message for OBS integration:
This bug (989698) was mentioned in
https://build.opensuse.org/request/show/412293 42.1 / karchive
Comment 2 Andreas Stieger 2016-07-20 21:21:16 UTC 
added 13.2 and SLE backports, all submitted
Comment 3 Bernhard Wiedemann 2016-07-20 22:00:33 UTC 
This is an autogenerated message for OBS integration:
This bug (989698) was mentioned in
https://build.opensuse.org/request/show/412435 13.2+Backports:SLE-12-SP1 / karchive
Comment 4 Swamp Workflow Management 2016-07-27 17:08:50 UTC 
openSUSE-SU-2016:1884-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 989698
CVE References: CVE-2016-6232
Sources used:
openSUSE Leap 42.1 (src):    karchive-5.21.0-15.1
openSUSE 13.2 (src):    karchive-5.11.0-27.1
Comment 5 Swamp Workflow Management 2016-09-02 13:13:49 UTC 
openSUSE-SU-2016:2223-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 989698
CVE References: CVE-2016-6232
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    karchive-5.20.0-6.1
Comment 6 Johannes Segitz 2017-07-12 15:20:11 UTC 
fixed