diff options
| author |   Maciej Mrozowski <reavertm@gentoo.org> | 2011-10-20 00:14:06 +0000 |
|---|---|---|
| committer | Maciej Mrozowski <reavertm@gentoo.org> | 2011-10-20 00:14:06 +0000 |
| commit | daa7774d0258920f810ed671268408714ed868fe (patch) | |
| tree | 5eaac173412c20726158928d30811780df9d00f9 /kde-base | |
| parent | initial commit (diff) | |
| download | gentoo-2-daa7774d0258920f810ed671268408714ed868fe.tar.gz gentoo-2-daa7774d0258920f810ed671268408714ed868fe.tar.bz2 gentoo-2-daa7774d0258920f810ed671268408714ed868fe.zip | |
CVE-2011-2725, bug 386055
(Portage version: 2.2.0_alpha69/cvs/Linux x86_64)
Diffstat (limited to 'kde-base')
| -rw-r--r-- | kde-base/ark/ChangeLog | 11 | ||||
| -rw-r--r-- | kde-base/ark/ark-4.6.5-r1.ebuild | 39 | ||||
| -rw-r--r-- | kde-base/ark/ark-4.7.1-r1.ebuild | 45 | ||||
| -rw-r--r-- | kde-base/ark/ark-4.7.2-r1.ebuild | 45 | ||||
| -rw-r--r-- | kde-base/ark/files/ark-4.6.5-CVE-2011-2725.patch | 36 |
5 files changed, 175 insertions, 1 deletions
diff --git a/kde-base/ark/ChangeLog b/kde-base/ark/ChangeLog index bedfd5880782..a67d04c686f2 100644 --- a/kde-base/ark/ChangeLog +++ b/kde-base/ark/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for kde-base/ark # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ChangeLog,v 1.199 2011/10/15 17:26:14 dilfridge Exp $ +# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ChangeLog,v 1.200 2011/10/20 00:14:06 reavertm Exp $ + +*ark-4.6.5-r1 (20 Oct 2011) +*ark-4.7.1-r1 (20 Oct 2011) +*ark-4.7.2-r1 (20 Oct 2011) + + 20 Oct 2011; Maciej Mrozowski <reavertm@gentoo.org> +ark-4.6.5-r1.ebuild, + +ark-4.7.1-r1.ebuild, +ark-4.7.2-r1.ebuild, + +files/ark-4.6.5-CVE-2011-2725.patch: + CVE-2011-2725, bug 386055 15 Oct 2011; Andreas K. Huettel <dilfridge@gentoo.org> -ark-4.7.0.ebuild: Drop KDE 4.7.0 diff --git a/kde-base/ark/ark-4.6.5-r1.ebuild b/kde-base/ark/ark-4.6.5-r1.ebuild new file mode 100644 index 000000000000..563f3f58bff6 --- /dev/null +++ b/kde-base/ark/ark-4.6.5-r1.ebuild @@ -0,0 +1,39 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ark-4.6.5-r1.ebuild,v 1.1 2011/10/20 00:14:06 reavertm Exp $ + +EAPI=4 + +KDE_HANDBOOK="optional" +KMNAME="kdeutils" +inherit kde4-meta + +DESCRIPTION="KDE Archiving tool" +KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux" +IUSE="+archive +bzip2 debug lzma" + +DEPEND=" + $(add_kdebase_dep libkonq) + sys-libs/zlib + archive? ( >=app-arch/libarchive-2.6.1[bzip2?,lzma?,zlib] ) + lzma? ( app-arch/xz-utils ) +" +RDEPEND="${DEPEND}" + +PATCHES=( + "${FILESDIR}/${PN}-4.6.5-CVE-2011-2725.patch" +) + +src_configure() { + mycmakeargs=( + $(cmake-utils_use_with archive LibArchive) + $(cmake-utils_use_with bzip2 BZip2) + $(cmake-utils_use_with lzma LibLZMA) + ) + kde4-meta_src_configure +} + +pkg_postinst() { + kde4-meta_pkg_postinst + elog "For creating rar archives, install app-arch/rar" +} diff --git a/kde-base/ark/ark-4.7.1-r1.ebuild b/kde-base/ark/ark-4.7.1-r1.ebuild new file mode 100644 index 000000000000..4c0b256ac4e1 --- /dev/null +++ b/kde-base/ark/ark-4.7.1-r1.ebuild @@ -0,0 +1,45 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ark-4.7.1-r1.ebuild,v 1.1 2011/10/20 00:14:06 reavertm Exp $ + +EAPI=4 + +KDE_HANDBOOK="optional" +KDE_SCM="git" +if [[ ${PV} == *9999 ]]; then + kde_eclass="kde4-base" +else + KMNAME="kdeutils" + kde_eclass="kde4-meta" +fi +inherit ${kde_eclass} + +DESCRIPTION="KDE Archiving tool" +KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux" +IUSE="+archive +bzip2 debug lzma" + +DEPEND=" + $(add_kdebase_dep libkonq) + sys-libs/zlib + archive? ( >=app-arch/libarchive-2.6.1[bzip2?,lzma?,zlib] ) + lzma? ( app-arch/xz-utils ) +" +RDEPEND="${DEPEND}" + +PATCHES=( + "${FILESDIR}/${PN}-4.6.5-CVE-2011-2725.patch" +) + +src_configure() { + mycmakeargs=( + $(cmake-utils_use_with archive LibArchive) + $(cmake-utils_use_with bzip2 BZip2) + $(cmake-utils_use_with lzma LibLZMA) + ) + ${kde_eclass}_src_configure +} + +pkg_postinst() { + ${kde_eclass}_pkg_postinst + elog "For creating rar archives, install app-arch/rar" +} diff --git a/kde-base/ark/ark-4.7.2-r1.ebuild b/kde-base/ark/ark-4.7.2-r1.ebuild new file mode 100644 index 000000000000..cd28330e8aa7 --- /dev/null +++ b/kde-base/ark/ark-4.7.2-r1.ebuild @@ -0,0 +1,45 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ark-4.7.2-r1.ebuild,v 1.1 2011/10/20 00:14:06 reavertm Exp $ + +EAPI=4 + +KDE_HANDBOOK="optional" +KDE_SCM="git" +if [[ ${PV} == *9999 ]]; then + kde_eclass="kde4-base" +else + KMNAME="kdeutils" + kde_eclass="kde4-meta" +fi +inherit ${kde_eclass} + +DESCRIPTION="KDE Archiving tool" +KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux" +IUSE="+archive +bzip2 debug lzma" + +DEPEND=" + $(add_kdebase_dep libkonq) + sys-libs/zlib + archive? ( >=app-arch/libarchive-2.6.1[bzip2?,lzma?,zlib] ) + lzma? ( app-arch/xz-utils ) +" +RDEPEND="${DEPEND}" + +PATCHES=( + "${FILESDIR}/${PN}-4.6.5-CVE-2011-2725.patch" +) + +src_configure() { + mycmakeargs=( + $(cmake-utils_use_with archive LibArchive) + $(cmake-utils_use_with bzip2 BZip2) + $(cmake-utils_use_with lzma LibLZMA) + ) + ${kde_eclass}_src_configure +} + +pkg_postinst() { + ${kde_eclass}_pkg_postinst + elog "For creating rar archives, install app-arch/rar" +} diff --git a/kde-base/ark/files/ark-4.6.5-CVE-2011-2725.patch b/kde-base/ark/files/ark-4.6.5-CVE-2011-2725.patch new file mode 100644 index 000000000000..39cc52a0396a --- /dev/null +++ b/kde-base/ark/files/ark-4.6.5-CVE-2011-2725.patch @@ -0,0 +1,36 @@ +From: Raphael Kubo da Costa <rakuco@FreeBSD.org> +Date: Mon, 17 Oct 2011 22:28:27 +0000 +Subject: Fix directory traversal issue (CVE-2011-2725). +X-Git-Url: http://quickgit.kde.org/?p=ark.git&a=commitdiff&h=ccb5448eb2aedd150313ea0af431a9b754176975 +--- +Fix directory traversal issue (CVE-2011-2725). + +Tim Brown from Nth Dimension noticed a possible traversal issue where +the previewer dialog would show (and then remove) the wrong file when +a maliciously crafted archive had a file previewed. + +We now do the same thing as infozip and filter out "../" from the +paths being previewed. +--- + + +--- a/ark/part/part.cpp ++++ b/ark/part/part.cpp +@@ -558,8 +558,15 @@ void Part::slotPreviewExtracted(KJob *jo + if (!job->error()) { + const ArchiveEntry& entry = + m_model->entryForIndex(m_view->selectionModel()->currentIndex()); +- const QString fullName = +- m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName ].toString(); ++ ++ QString fullName = ++ m_previewDir->name() + QLatin1Char('/') + entry[FileName].toString(); ++ ++ // Make sure a maliciously crafted archive with parent folders named ".." do ++ // not cause the previewed file path to be located outside the temporary ++ // directory, resulting in a directory traversal issue. ++ fullName.remove(QLatin1String("../")); ++ + ArkViewer::view(fullName, widget()); + } else { + KMessageBox::error(widget(), job->errorString()); |