|
|
Log in / Subscribe / Register

kf5-karchive: command execution

Package(s):kf5-karchive CVE #(s):CVE-2016-6232
Created:July 25, 2016 Updated:August 8, 2016
Description: From the KDE Project Security Advisory:

A maliciously crafted archive (.zip or .tar.bz2) with "../" in the file paths could be offered for download via the KNewStuff framework (e.g. on www.kde- look.org), and upon extraction would install files anywhere in the user's home directory.

Users can unwillingly install files like a modified .bashrc, or a new .desktop file associated to a common MIME type and executing a malicious command.

Users should not install anything via KNewStuff until KDE Frameworks 5.24, or should at least inspect downloaded archives to make sure they don't contain relative paths containing "../".

KArchive 5.24, released as part of KDE Frameworks 5.24, forbids archive extraction from installing files outside the extraction directory.

Alerts:
openSUSE openSUSE-SU-2016:2223-1 karchive 2016-09-02
Debian DSA-3643-1 kde4libs 2016-08-06
Debian-LTS DLA-570-1 kde4libs 2016-07-30
openSUSE openSUSE-SU-2016:1884-1 karchive 2016-07-27
Ubuntu USN-3042-1 kde4libs 2016-07-26
Fedora FEDORA-2016-cef912e3a4 kf5-karchive 2016-07-23
Fedora FEDORA-2016-4701636a74 kf5-karchive 2016-07-23
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds