head	1.2;
access;
symbols
	pkgsrc-2021Q1:1.1.0.6
	pkgsrc-2021Q1-base:1.1
	pkgsrc-2020Q4:1.1.0.4
	pkgsrc-2020Q4-base:1.1
	pkgsrc-2020Q3:1.1.0.2
	pkgsrc-2020Q3-base:1.1;
locks; strict;
comment	@// @;


1.2
date	2021.04.07.12.28.15;	author markd;	state dead;
branches;
next	1.1;
commitid	tztrjjIqpl25hmOC;

1.1
date	2020.09.20.11.05.31;	author markd;	state Exp;
branches;
next	;
commitid	tgh5uzJTAugsdMoC;


desc
@@


1.2
log
@kde applications release: update to 20.12.3

10 months worth of updates.
@
text
@$NetBSD: patch-kerfuffle_jobs.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $

https://kde.org/info/security/advisory-20200730-1.txt
A maliciously crafted archive with "../" in the file paths would
install files anywhere in the user's home directory upon extraction.

--- kerfuffle/jobs.cpp.orig	2020-05-11 21:15:07.000000000 +0000
+++ kerfuffle/jobs.cpp
@@@@ -181,6 +181,13 @@@@ void Job::onError(const QString & messag
 
 void Job::onEntry(Archive::Entry *entry)
 {
+    const QString entryFullPath = entry->fullPath();
+    if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
+        qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
+        onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
+        onFinished(false);
+        return;
+    }
     emit newEntry(entry);
 }
 
@


1.1
log
@ark: patches for CVE-2020-16116 and CVE-2020-24654
@
text
@d1 1
a1 1
$NetBSD$
@