diff options
author | Michael Palimaka <kensington@gentoo.org> | 2016-10-13 03:38:42 +1100 |
---|---|---|
committer | Michael Palimaka <kensington@gentoo.org> | 2016-10-13 03:39:53 +1100 |
commit | 0f144c6aa5bc75e36d742c113f841804b98c4fff (patch) | |
tree | 4e5412b5edc621aa5e9eaf398d77d4bc7f5850f9 /kde-frameworks/karchive | |
parent | sys-kernel/genkernel: temporarily disable metadata change for QA false positive. (diff) | |
download | gentoo-0f144c6aa5bc75e36d742c113f841804b98c4fff.tar.gz gentoo-0f144c6aa5bc75e36d742c113f841804b98c4fff.tar.bz2 gentoo-0f144c6aa5bc75e36d742c113f841804b98c4fff.zip |
kde-frameworks: remove 5.23.0
Package-Manager: portage-2.3.2
Diffstat (limited to 'kde-frameworks/karchive')
-rw-r--r-- | kde-frameworks/karchive/Manifest | 1 | ||||
-rw-r--r-- | kde-frameworks/karchive/files/karchive-5.21.0-CVE-2016-6232.patch | 92 | ||||
-rw-r--r-- | kde-frameworks/karchive/karchive-5.23.0-r1.ebuild | 32 |
3 files changed, 0 insertions, 125 deletions
diff --git a/kde-frameworks/karchive/Manifest b/kde-frameworks/karchive/Manifest index 63b9dae22aef..607898651f06 100644 --- a/kde-frameworks/karchive/Manifest +++ b/kde-frameworks/karchive/Manifest @@ -1,3 +1,2 @@ -DIST karchive-5.23.0.tar.xz 109308 SHA256 3b3e310ae2aceae0513e809e4fc559bea5262cd26ecbe43071388cc1de5e30ef SHA512 86b0b2cceb97002917fa927dc402efa649a582bfcfd63de7e08d66c7687b77dbef975107e6081af37fa20c7bcb9d3a3f5d6f0fcdbfcffb3e75291527f89719bd WHIRLPOOL b7a934897e9c688552f57a2e93e4ea04a44f35e128855da05aea598f028536755602a18aeda59ee698f6151a695667bcbabdcca6d230d780c71096aa9ebba362 DIST karchive-5.26.0.tar.xz 110836 SHA256 af082dc3a8bd48302d5c36c0a70e2d2c796cb852e3f6ee64cb5059fb7f9adaeb SHA512 62feb92b970bbd9fea1be80a22f0891fb152cd1f1445f59761224904920325208f2e05a30922884012da4a0bff998b1a35cea9c12e5616c5c59a5634c4a7b609 WHIRLPOOL 78b2e0c04b199bce002ce92f5a654ed0760cfdc54498fd9ae86a36206da91750cf596692f934dd19b2e220ba44d01d59d25ec3e66f35aee333050676f339f8c8 DIST karchive-5.27.0.tar.xz 110736 SHA256 7f387fa2e0f5360870524d0f2b352179f191d0ed0ea78ec3456964ffab8bebb0 SHA512 94c47997d4834be91a12b9b172067c1b5844f5038ebb535b840a11c0e23fefda06ca3c216d37eb3ab2f8ebdef0a725ec9133a4a18f4a48bc318b6fce3a4c2021 WHIRLPOOL 823c7005e63c0e5754a10a9d9ccdbde09c6f9956c3b4e972b95d6bb4c8188fa446b38deeb727ef1627450c9c9dd0ca2fb343cb139e85fc0b7fe8fa410f62c8dd diff --git a/kde-frameworks/karchive/files/karchive-5.21.0-CVE-2016-6232.patch b/kde-frameworks/karchive/files/karchive-5.21.0-CVE-2016-6232.patch deleted file mode 100644 index b5c0608d91ff..000000000000 --- a/kde-frameworks/karchive/files/karchive-5.21.0-CVE-2016-6232.patch +++ /dev/null @@ -1,92 +0,0 @@ -commit 0cb243f64eef45565741b27364cece7d5c349c37 -Author: Andreas Cord-Landwehr <cordlandwehr@kde.org> -Date: Tue Jun 14 15:52:49 2016 +0200 - - Ensure extraction location to be in subfolder - - Behavior change: Switch to Tar's default behavior to avoid extraction - to arbitrary system locations outside of extraction folder. Instead, - extract such files to root location in extraction folder. - - REVIEW: 128185 - -diff --git a/autotests/karchivetest.cpp b/autotests/karchivetest.cpp -index c8abddf..549ed26 100644 ---- a/autotests/karchivetest.cpp -+++ b/autotests/karchivetest.cpp -@@ -760,6 +760,24 @@ void KArchiveTest::testTarDirectoryTwice() // bug 206994 - - QCOMPARE(listing.count(), 3); - } -+ -+void KArchiveTest::testTarIgnoreRelativePathOutsideArchive() -+{ -+ // This test extracts a Tar archive that contains a relative path "../foo" pointing -+ // outside of the archive directory. For security reasons extractions should only -+ // be allowed within the extracted directory as long as not specifically asked. -+ -+ KTar tar(QFINDTESTDATA(QLatin1String("tar_relative_path_outside_archive.tar.bz2"))); -+ QVERIFY(tar.open(QIODevice::ReadOnly)); -+ -+ const KArchiveDirectory *dir = tar.directory(); -+ QTemporaryDir tmpDir; -+ const QString dirName = tmpDir.path() + '/'; -+ -+ QVERIFY(dir->copyTo(dirName)); -+ QVERIFY(!QFile::exists(dirName + "../foo")); -+ QVERIFY(QFile::exists(dirName + "/foo")); -+} - /// - - static const char s_zipFileName[] = "karchivetest.zip"; -diff --git a/autotests/karchivetest.h b/autotests/karchivetest.h -index 4b7ecff..5a6375c 100644 ---- a/autotests/karchivetest.h -+++ b/autotests/karchivetest.h -@@ -76,6 +76,7 @@ private Q_SLOTS: - void testTarDirectoryForgotten(); - void testTarRootDir(); - void testTarDirectoryTwice(); -+ void testTarIgnoreRelativePathOutsideArchive(); - - void testCreateZip(); - void testCreateZipError(); -diff --git a/autotests/tar_relative_path_outside_archive.tar.bz2 b/autotests/tar_relative_path_outside_archive.tar.bz2 -new file mode 100644 -index 0000000..50a3aca -Binary files /dev/null and b/autotests/tar_relative_path_outside_archive.tar.bz2 differ -diff --git a/src/karchive.cpp b/src/karchive.cpp -index 5a7cfc6..7683c7f 100644 ---- a/src/karchive.cpp -+++ b/src/karchive.cpp -@@ -841,6 +841,7 @@ static bool sortByPosition(const KArchiveFile *file1, const KArchiveFile *file2) - bool KArchiveDirectory::copyTo(const QString &dest, bool recursiveCopy) const - { - QDir root; -+ const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".." - - QList<const KArchiveFile *> fileList; - QMap<qint64, QString> fileToDir; -@@ -850,10 +851,20 @@ bool KArchiveDirectory::copyTo(const QString &dest, bool recursiveCopy) const - QStack<QString> dirNameStack; - - dirStack.push(this); // init stack at current directory -- dirNameStack.push(dest); // ... with given path -+ dirNameStack.push(destDir); // ... with given path - do { - const KArchiveDirectory *curDir = dirStack.pop(); -- const QString curDirName = dirNameStack.pop(); -+ -+ // extract only to specified folder if it is located within archive's extraction folder -+ // otherwise put file under root position in extraction folder -+ QString curDirName = dirNameStack.pop(); -+ if (!QDir(curDirName).absolutePath().startsWith(destDir)) { -+ qWarning() << "Attempted export into folder" << curDirName -+ << "which is outside of the extraction root folder" << destDir << "." -+ << "Changing export of contained files to extraction root folder."; -+ curDirName = destDir; -+ } -+ - if (!root.mkpath(curDirName)) { - return false; - } diff --git a/kde-frameworks/karchive/karchive-5.23.0-r1.ebuild b/kde-frameworks/karchive/karchive-5.23.0-r1.ebuild deleted file mode 100644 index 0449ae62a542..000000000000 --- a/kde-frameworks/karchive/karchive-5.23.0-r1.ebuild +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 1999-2016 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Id$ - -EAPI=6 - -inherit kde5 - -DESCRIPTION="Framework for reading, creation, and manipulation of various archive formats" -LICENSE="GPL-2 LGPL-2.1" -KEYWORDS="amd64 ~arm x86" -IUSE="+bzip2 +lzma" - -RDEPEND=" - bzip2? ( app-arch/bzip2 ) - lzma? ( app-arch/xz-utils ) - sys-libs/zlib -" -DEPEND="${RDEPEND}" - -PATCHES=( "${FILESDIR}/${PN}-5.21.0-CVE-2016-6232.patch" ) - -RESTRICT="test" - -src_configure() { - local mycmakeargs=( - $(cmake-utils_use_find_package bzip2 BZip2) - $(cmake-utils_use_find_package lzma LibLZMA) - ) - - kde5_src_configure -} |