Launchpad CVE tracker

CVE 2016-6232

Directory traversal vulnerability in KArchive before 5.24, as used in KDE Frameworks, allows remote attackers to write to arbitrary files via a ../ (dot dot slash) in a filename in an archive file, related to KNewsstuff downloads.

Related bugs and status

CVE-2016-6232 (Candidate) is related to these bugs:

Bug #1712948: [CVE] KNewstuff downloads can install files outside the extraction directory

Summary				In	Importance	Status
	1712948	[CVE] KNewstuff downloads can install files outside the extraction directory		karchive (Ubuntu)	Medium	Fix Released
	1712948	[CVE] KNewstuff downloads can install files outside the extraction directory		karchive (Ubuntu Xenial)	Medium	Fix Released

Bug #1839432: [CVE] malicious .desktop files (and others) would execute code

		In	Importance	Status
1839432	[CVE] malicious .desktop files (and others) would execute code	kconfig (Ubuntu)	Medium	Fix Released
1839432	[CVE] malicious .desktop files (and others) would execute code	kconfig (Ubuntu Bionic)	Medium	Fix Released
1839432	[CVE] malicious .desktop files (and others) would execute code	kconfig (Ubuntu Disco)	Medium	Fix Released
1839432	[CVE] malicious .desktop files (and others) would execute code	kconfig (Ubuntu Xenial)	Medium	Fix Released
1839432	[CVE] malicious .desktop files (and others) would execute code	kde4libs (Ubuntu)	Low	Fix Released
1839432	[CVE] malicious .desktop files (and others) would execute code	kde4libs (Ubuntu Bionic)	Low	Fix Released
1839432	[CVE] malicious .desktop files (and others) would execute code	kde4libs (Ubuntu Disco)	Low	Fix Released
1839432	[CVE] malicious .desktop files (and others) would execute code	kde4libs (Ubuntu Xenial)	Low	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2016-6232

References