[CVE] KNewstuff downloads can install files outside the extraction directory

Bug #1712948 reported by Simon Quigley on 2017-08-25
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
karchive (Ubuntu)
Medium
Unassigned
Xenial
Medium
Simon Quigley

Bug Description

KDE Project Security Advisory
=============================

Title: karchive: KNewstuff downloads can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2016-6232
Platforms: Linux / Mac / Windows
Versions: karchive < 5.24
Author: David Faure <email address hidden>
Date: 24 July 2016

Overview
========

A maliciously crafted archive (.zip or .tar.bz2) with "../" in the file paths
could be offered for download via the KNewStuff framework (e.g. on www.kde-
look.org), and upon extraction would install files anywhere in the user's home
directory.

Proof of concept
================

For testing, an example of a malicious archive can be found at
http://www.davidfaure.fr/kde/tar_relative_path_outside_archive.tar.bz2

Impact
======

Users can unwillingly install files like a modified .bashrc, or a new .desktop
file associated to a common MIME type and executing a malicious command.

Workaround
==========

Users should not install anything via KNewStuff until KDE Frameworks 5.24,
or should at least inspect downloaded archives to make sure they don't contain
relative paths containing "../".

Solution
========

KArchive 5.24, released as part of KDE Frameworks 5.24, forbids archive
extraction from installing files outside the extraction directory.

Alternatively, commit 0cb243f in karchive.git can be applied to previous
releases.

Thanks to Andreas Cord-Landwehr for finding this issue and fixing it.

CVE References

Simon Quigley (tsimonq2) on 2017-08-25
information type: Public → Public Security
Changed in karchive (Ubuntu):
assignee: nobody → Simon Quigley (tsimonq2)
status: New → In Progress
Changed in karchive (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Changed in karchive (Ubuntu):
assignee: Simon Quigley (tsimonq2) → nobody
status: In Progress → Fix Released
Simon Quigley (tsimonq2) on 2017-09-02
Changed in karchive (Ubuntu):
importance: Undecided → Medium
Changed in karchive (Ubuntu Xenial):
importance: Undecided → Medium
Simon Quigley (tsimonq2) on 2017-09-02
tags: added: xenial
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Xenial applicable to 5.18.0-0ubuntu1. I tested this on a fresh, fully updated Kubuntu 16.04 install and it works fine (without regression).

Changed in karchive (Ubuntu Xenial):
milestone: none → xenial-updates
Simon Quigley (tsimonq2) wrote :

For what it's worth, sponsor, the debdiff includes a reference to a new tar file that was included, but obviously you can't see that in the debdiff. Here's a link to it: https://cgit.kde.org/karchive.git/tree/autotests/tar_relative_path_outside_archive.tar.bz2?id=0cb243

Tyler Hicks (tyhicks) wrote :

I'm having some trouble sponsoring this debdiff. Here's a cleaned up version of a chat I had with Simon about this:

tyhicks> tsimonq2: hey - what am I supposed to do with tar_relative_path_outside_archive.tar.bz2 for bug #1712948? debian/source/include-binaries is not well documented...
tyhicks> tsimonq2: also, is there any use in including the autotest/ changes? I don't see where they're ever used
tsimonq2> tyhicks: With the tar, the patch file has the location iirc
tsimonq2> tyhicks: And the autotest/ changes are from the upstream commit iirc, so that can also help with regression testing (I don't see a reason to exclude them)
tyhicks> tsimonq2: when do the tests get run?
tsimonq2> But the tests added *should* be ran
tyhicks> tsimonq2: I applied your debdiff, without downloading the tarball and the build was successful which indicates to me that autotest/ isn't used
tyhicks> tsimonq2: I then downloaded the tarball to autotest/tar_relative_path_outside_archive.tar.bz2 and the source package build failed with http://paste.ubuntu.com/25485048/
tyhicks> tsimonq2: so the gist is that I don't know how you built the package with the tarball and, because of that, I'd like to know whether it is even worth the trouble to include the autotest/ changes at all
tyhicks> tsimonq2: if it is worth it, then I need some more info on what to do with the tarball

Changed in karchive (Ubuntu Xenial):
status: In Progress → Incomplete
Tyler Hicks (tyhicks) wrote :

Simon pointed out to me, over IRC, that I can't wget the tarball link that he provided. That fixed my problem. Everything looks good to me now and I'll be releasing the update shortly.

Changed in karchive (Ubuntu Xenial):
status: Incomplete → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package karchive - 5.18.0-0ubuntu1.1

---------------
karchive (5.18.0-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: KNewstuff downloads can install files outside the
    extraction directory (LP: #1712948)
    - fix-CVE-2016-6232.patch
    - CVE-2016-6232

 -- Simon Quigley <email address hidden> Sat, 02 Sep 2017 01:06:58 -0500

Changed in karchive (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers