head	1.2;
access;
symbols
	pkgsrc-2021Q1:1.1.0.6
	pkgsrc-2021Q1-base:1.1
	pkgsrc-2020Q4:1.1.0.4
	pkgsrc-2020Q4-base:1.1
	pkgsrc-2020Q3:1.1.0.2
	pkgsrc-2020Q3-base:1.1;
locks; strict;
comment	@// @;


1.2
date	2021.04.07.12.28.15;	author markd;	state dead;
branches;
next	1.1;
commitid	tztrjjIqpl25hmOC;

1.1
date	2020.09.20.11.05.31;	author markd;	state Exp;
branches;
next	;
commitid	tgh5uzJTAugsdMoC;


desc
@@


1.2
log
@kde applications release: update to 20.12.3

10 months worth of updates.
@
text
@$NetBSD: patch-plugins_libarchive_libarchiveplugin.cpp,v 1.1 2020/09/20 11:05:31 markd Exp $

https://kde.org/info/security/advisory-20200827-1.txt
A maliciously crafted TAR archive containing symlink entries would
install files anywhere in the user's home directory upon extraction.

--- plugins/libarchive/libarchiveplugin.cpp.orig	2020-05-11 21:15:07.000000000 +0000
+++ plugins/libarchive/libarchiveplugin.cpp
@@@@ -509,21 +509,9 @@@@ void LibarchivePlugin::emitEntryFromArch
 
 int LibarchivePlugin::extractionFlags() const
 {
-    int result = ARCHIVE_EXTRACT_TIME;
-    result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
-
-    // TODO: Don't use arksettings here
-    /*if ( ArkSettings::preservePerms() )
-    {
-        result &= ARCHIVE_EXTRACT_PERM;
-    }
-
-    if ( !ArkSettings::extractOverwrite() )
-    {
-        result &= ARCHIVE_EXTRACT_NO_OVERWRITE;
-    }*/
-
-    return result;
+    return ARCHIVE_EXTRACT_TIME
+           | ARCHIVE_EXTRACT_SECURE_NODOTDOT
+           | ARCHIVE_EXTRACT_SECURE_SYMLINKS;
 }
 
 void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress)
@


1.1
log
@ark: patches for CVE-2020-16116 and CVE-2020-24654
@
text
@d1 1
a1 1
$NetBSD$
@