diff options
| -rw-r--r-- | deskutils/kdepimlibs4/Makefile | 2 | ||||
| -rw-r--r-- | deskutils/kdepimlibs4/files/patch-ktnef_ktnefparser.cpp | 38 |
2 files changed, 39 insertions, 1 deletions
diff --git a/deskutils/kdepimlibs4/Makefile b/deskutils/kdepimlibs4/Makefile index 3d3ed829ab06..6ad9b93b7626 100644 --- a/deskutils/kdepimlibs4/Makefile +++ b/deskutils/kdepimlibs4/Makefile @@ -3,7 +3,7 @@ PORTNAME= kdepimlibs PORTVERSION= ${KDE4_KDELIBS_VERSION} -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= deskutils kde MASTER_SITES= KDE/${KDE4_APPLICATIONS_BRANCH}/applications/${KDE4_APPLICATIONS_VERSION}/src DIST_SUBDIR= KDE/${PORTVERSION} diff --git a/deskutils/kdepimlibs4/files/patch-ktnef_ktnefparser.cpp b/deskutils/kdepimlibs4/files/patch-ktnef_ktnefparser.cpp new file mode 100644 index 000000000000..29f035a3c9fc --- /dev/null +++ b/deskutils/kdepimlibs4/files/patch-ktnef_ktnefparser.cpp @@ -0,0 +1,38 @@ +Fix for https://www.kde.org/info/security/advisory-20170227-1.txt +--- ktnef/ktnefparser.cpp.orig 2017-03-11 20:23:43 UTC ++++ ktnef/ktnefparser.cpp +@@ -40,7 +40,9 @@ + + #include <QtCore/QDateTime> + #include <QtCore/QDataStream> ++#include <QtCore/QDir> + #include <QtCore/QFile> ++#include <QtCore/QFileInfo> + #include <QtCore/QVariant> + #include <QtCore/QList> + +@@ -446,7 +448,9 @@ bool KTNEFParser::extractFile( const QSt + bool KTNEFParser::ParserPrivate::extractAttachmentTo( KTNEFAttach *att, + const QString &dirname ) + { +- QString filename = dirname + '/'; ++ const QString destDir( QDir( dirname ).absolutePath() ); // get directory path without any "." or ".." ++ ++ QString filename = destDir + '/'; + if ( !att->fileName().isEmpty()) { + filename += att->fileName(); + } else { +@@ -462,6 +466,13 @@ bool KTNEFParser::ParserPrivate::extract + if ( !device_->seek( att->offset() ) ) { + return false; + } ++ const QFileInfo fi( filename ); ++ if ( !fi.absoluteFilePath().startsWith( destDir ) ) { ++ kWarning() << "Attempted extract into" << fi.absoluteFilePath() ++ << "which is outside of the extraction root folder" << destDir << "." ++ << "Changing export of contained files to extraction root folder."; ++ filename = destDir + QLatin1Char( '/' ) + fi.fileName(); ++ } + KSaveFile outfile( filename ); + if ( !outfile.open() ) { + return false; |