CVE-2011-2725, bug 386055

Package-Manager: portage-2.2.0_alpha69/cvs/Linux x86_64

6 files changed, 184 insertions, 16 deletions

diff --git a/kde-base/ark/ChangeLog b/kde-base/ark/ChangeLog
index bedfd5880782..a67d04c686f2 100644
--- a/kde-base/ark/ChangeLog
+++ b/kde-base/ark/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for kde-base/ark
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ChangeLog,v 1.199 2011/10/15 17:26:14 dilfridge Exp $
+# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ChangeLog,v 1.200 2011/10/20 00:14:06 reavertm Exp $
+
+*ark-4.6.5-r1 (20 Oct 2011)
+*ark-4.7.1-r1 (20 Oct 2011)
+*ark-4.7.2-r1 (20 Oct 2011)
+
+  20 Oct 2011; Maciej Mrozowski <reavertm@gentoo.org> +ark-4.6.5-r1.ebuild,
+  +ark-4.7.1-r1.ebuild, +ark-4.7.2-r1.ebuild,
+  +files/ark-4.6.5-CVE-2011-2725.patch:
+  CVE-2011-2725, bug 386055
 
   15 Oct 2011; Andreas K. Huettel <dilfridge@gentoo.org> -ark-4.7.0.ebuild:
   Drop KDE 4.7.0
diff --git a/kde-base/ark/Manifest b/kde-base/ark/Manifest
index ba19d80d24db..609d8e95b98e 100644
--- a/kde-base/ark/Manifest
+++ b/kde-base/ark/Manifest
@@ -1,31 +1,25 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA512
+Hash: SHA1
 
+AUX ark-4.6.5-CVE-2011-2725.patch 1483 RMD160 5be56edabdb92821c80be42ea39c51dff670398f SHA1 2cd15ea4ef3cc60a2b0321c1872787ae2ef782d2 SHA256 50653ad3d75e4473078fa32108f01f321503f10edb62d25c95f5d064a3e79991
 AUX ark-detect-libarchive-in-proper-place.patch 1350 RMD160 920181d3fbe98cc6435cb421e7e73cd1551be4ca SHA1 967e407f27f264e2ecf4e34498f68fd92dc83dbc SHA256 0680251d0b32ecb24ce5ad8dae0c27473d58edf48aee9096f90b2446fc20c104
 DIST kdeutils-4.6.3.tar.bz2 3703326 RMD160 1fe6287fed3fa21eef902ee764425171f7345e6c SHA1 1aa735c03689ef49b949278ee31d0d8e8536b7d6 SHA256 d61e97a5b3464fbfaef624927cfc19da4158dd91f2e020eb245d10da8af33196
 DIST kdeutils-4.6.5.tar.bz2 3699961 RMD160 65293718d8785c8e06e9149465f55f7f5a8718f5 SHA1 1c2ae023d9a6bcf72d3cebd0d7df2e6a175ffdcb SHA256 03de4b7728301414c8e704ba5c8650d8ded053747268ad47c901880fc1bf0b29
 DIST kdeutils-4.7.1.tar.bz2 3799087 RMD160 a5e453fd43165a4ea0c9a8bc185435a8a9d4212d SHA1 96eb89be0e319e5d0709430f86dc6a7db80d9967 SHA256 8d73fbc9acf270f68626a98fe454b4f86a18d2d299aab718e3c47e1f71e2f468
 DIST kdeutils-4.7.2.tar.bz2 3800427 RMD160 13fadbd312d70d7de360221facaf506707562fcc SHA1 52ce9b6b5f2c20475f46b6f7378ca4c530df37b4 SHA256 cdea138fc4556b4f6de5e63ee7ccbcb3485a780f372e699c0cb9fd6d65e02f96
 EBUILD ark-4.6.3-r1.ebuild 1004 RMD160 32e973c33ddd8b982d0cf71af8a8fd3ef5945c93 SHA1 d0ccdc0fa2d271219bdf17b67adff4716d7f48a1 SHA256 73c8b028c9b82b481bd40446da9483e43eee77263e58f50daf9e1491bc5c101b
+EBUILD ark-4.6.5-r1.ebuild 923 RMD160 531aa13c5c8a22294cc364d3087e756c95555108 SHA1 e3928bad51ad1dce625d52d578cf52efd6ae2538 SHA256 015c582951c3aad020100b2be9c897a09f52601c10cbd9e7b00a57bd0c618e83
 EBUILD ark-4.6.5.ebuild 856 RMD160 f200e7b4ca898d6c6fb3ecda6e7d84effe3b24bd SHA1 a61103ff29171ce5685ca4a08f411df53ecb5cc5 SHA256 deed5276b5928400f906a597c25cdac741eaaa7eb15cb37685c952f0952fb4a2
+EBUILD ark-4.7.1-r1.ebuild 1036 RMD160 94dbb11fa0e6be745a89fe86da2277fc68cb99c4 SHA1 68d0f57ea76a6f0ed06fb1c723ea4437b5396892 SHA256 92b800a6dbc9e5d4f23584806f88397b13016e73e1b06b81af88e21069957904
 EBUILD ark-4.7.1.ebuild 971 RMD160 55f6bbc01a8403cc6ffe77ef474f1cbdef118d29 SHA1 681b4e9013402ecdd19c67b15fa6f2bcd7554f89 SHA256 5b070973e528977f688b332a4c636dccae377f11fd4f19749d16b70e02d5a9f5
+EBUILD ark-4.7.2-r1.ebuild 1036 RMD160 69e6cb5af61f1077d23f22078360f5615fb4d22b SHA1 3474d86478930b73a6afcfad0e32f753a07f7e6e SHA256 390e6b2b0ba9be5e5b03a0ca4a267e9b400fc6100a3c821e56b0dabd3285c93f
 EBUILD ark-4.7.2.ebuild 971 RMD160 f20bacc17469ef9e28621709e81315df5883495a SHA1 be5ada003a9907f1bb6731b2308443658242dc40 SHA256 6148cb823adb58d15a21f972aca4810b174b288819bbf8e04cbe4c848685ad86
-MISC ChangeLog 23044 RMD160 638d40e87bb7975d484c2b5021747b760a78832b SHA1 cc3c5394af7985fdbaaeb68032970eb05e3419e6 SHA256 43cecbe82a9b6e15ed337a56a96ae2ae40fcdbc303dd35990de6ca0ef8fe8f44
+MISC ChangeLog 23319 RMD160 2f17bbbc96048ea445ee4c37fdc4df47f745a668 SHA1 be334ddca510cda286b2747653109423534c87eb SHA256 006714772b1ff0a72a2969e16799268c51a724fd08ecc0b57eac43dffbeb3e4e
 MISC metadata.xml 265 RMD160 6d5c00bd8e060f14a16549ff10280fab7f6f5dfa SHA1 34b7bb42c33bec69214da2e8c19efc1b1e89d02a SHA256 3a6bd8f72e476b5ceea3aa7d397b9f72307a5fea2a381dc1816c21889fd8248f
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.17 (GNU/Linux)
 
-iQIcBAEBCgAGBQJOmcKeAAoJENwGBM22xffeQaoP/2H137cc6n9NCXd7RULWrbwn
-N13QSytJpwpkaTc6lxD7LfxX5/qoAzqLgI/SLv0rTo/Cv6zEFsGdc3HmLA+G9WVH
-YAHjYFAZkg9ZRf10EjRVV/2HzBUcf1HHrAQITJw9evhgx9ah3+/0XgrescPX3Plm
-VDuQq8W3V0Suauf/wcokE6kxnaFu8wi+aZlnEZIS55ZNBM6RbBe2MDmqn3OQnDsr
-4Bza1EH40YUiMRhdSaGYQTCSTnkafcuX/8Dn9h7+7pcDkmGM+DC0XgMyihOtonAV
-/VbYtY/Fy23bEdI7Wmwl2139zuqIp2rBwZAcKlm0TSzPU4mLDGj0prWyAA0I+owX
-JfCPJ0wDHO5Zq/QoTcEqwKfEvvEMnpqtdt7Qf8V6EPWutEaO1QOMVPkib0Ktr85X
-GGgHKZ2fwsT/ASngRknlofJ1PfR91fmFQzK8OxFxklVXxksqYDsDeIFEJfMIyDRf
-i/ub0n5RDWvm4rKRfjQOVXu49MMMR4TOOtQzTtNRVYcylJ2crVV8pmRADZAJ4lFK
-K62R1qroYmuDPEzgvm+YwMG8OmL9VEDioCoRZqxX8t9fCBAJyMSqfqkJge/DZWyE
-E67hcshksT/KyqHzYtwI4WFowa6+veBC4guPZFhwt1m8aWejoIyHzZsn4TuGDwGM
-kOMMXGWICO6wpfpppJVb
-=+lkf
+iEYEARECAAYFAk6fZ9IACgkQFuHa/bHpVdu57wCgw+P1Xn+LwWnUCLUDhajAdHMw
+QEgAoKJ7+JKVJUqxWsFzR+vKcD69Cgi+
+=RuQ5
 -----END PGP SIGNATURE-----
diff --git a/kde-base/ark/ark-4.6.5-r1.ebuild b/kde-base/ark/ark-4.6.5-r1.ebuild
new file mode 100644
index 000000000000..563f3f58bff6
--- /dev/null
+++ b/kde-base/ark/ark-4.6.5-r1.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ark-4.6.5-r1.ebuild,v 1.1 2011/10/20 00:14:06 reavertm Exp $
+
+EAPI=4
+
+KDE_HANDBOOK="optional"
+KMNAME="kdeutils"
+inherit kde4-meta
+
+DESCRIPTION="KDE Archiving tool"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux"
+IUSE="+archive +bzip2 debug lzma"
+
+DEPEND="
+	$(add_kdebase_dep libkonq)
+	sys-libs/zlib
+	archive? ( >=app-arch/libarchive-2.6.1[bzip2?,lzma?,zlib] )
+	lzma? ( app-arch/xz-utils )
+"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-4.6.5-CVE-2011-2725.patch"
+)
+
+src_configure() {
+	mycmakeargs=(
+		$(cmake-utils_use_with archive LibArchive)
+		$(cmake-utils_use_with bzip2 BZip2)
+		$(cmake-utils_use_with lzma LibLZMA)
+	)
+	kde4-meta_src_configure
+}
+
+pkg_postinst() {
+	kde4-meta_pkg_postinst
+	elog "For creating rar archives, install app-arch/rar"
+}
diff --git a/kde-base/ark/ark-4.7.1-r1.ebuild b/kde-base/ark/ark-4.7.1-r1.ebuild
new file mode 100644
index 000000000000..4c0b256ac4e1
--- /dev/null
+++ b/kde-base/ark/ark-4.7.1-r1.ebuild
@@ -0,0 +1,45 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ark-4.7.1-r1.ebuild,v 1.1 2011/10/20 00:14:06 reavertm Exp $
+
+EAPI=4
+
+KDE_HANDBOOK="optional"
+KDE_SCM="git"
+if [[ ${PV} == *9999 ]]; then
+	kde_eclass="kde4-base"
+else
+	KMNAME="kdeutils"
+	kde_eclass="kde4-meta"
+fi
+inherit ${kde_eclass}
+
+DESCRIPTION="KDE Archiving tool"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux"
+IUSE="+archive +bzip2 debug lzma"
+
+DEPEND="
+	$(add_kdebase_dep libkonq)
+	sys-libs/zlib
+	archive? ( >=app-arch/libarchive-2.6.1[bzip2?,lzma?,zlib] )
+	lzma? ( app-arch/xz-utils )
+"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-4.6.5-CVE-2011-2725.patch"
+)
+
+src_configure() {
+	mycmakeargs=(
+		$(cmake-utils_use_with archive LibArchive)
+		$(cmake-utils_use_with bzip2 BZip2)
+		$(cmake-utils_use_with lzma LibLZMA)
+	)
+	${kde_eclass}_src_configure
+}
+
+pkg_postinst() {
+	${kde_eclass}_pkg_postinst
+	elog "For creating rar archives, install app-arch/rar"
+}
diff --git a/kde-base/ark/ark-4.7.2-r1.ebuild b/kde-base/ark/ark-4.7.2-r1.ebuild
new file mode 100644
index 000000000000..cd28330e8aa7
--- /dev/null
+++ b/kde-base/ark/ark-4.7.2-r1.ebuild
@@ -0,0 +1,45 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/ark/ark-4.7.2-r1.ebuild,v 1.1 2011/10/20 00:14:06 reavertm Exp $
+
+EAPI=4
+
+KDE_HANDBOOK="optional"
+KDE_SCM="git"
+if [[ ${PV} == *9999 ]]; then
+	kde_eclass="kde4-base"
+else
+	KMNAME="kdeutils"
+	kde_eclass="kde4-meta"
+fi
+inherit ${kde_eclass}
+
+DESCRIPTION="KDE Archiving tool"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux"
+IUSE="+archive +bzip2 debug lzma"
+
+DEPEND="
+	$(add_kdebase_dep libkonq)
+	sys-libs/zlib
+	archive? ( >=app-arch/libarchive-2.6.1[bzip2?,lzma?,zlib] )
+	lzma? ( app-arch/xz-utils )
+"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-4.6.5-CVE-2011-2725.patch"
+)
+
+src_configure() {
+	mycmakeargs=(
+		$(cmake-utils_use_with archive LibArchive)
+		$(cmake-utils_use_with bzip2 BZip2)
+		$(cmake-utils_use_with lzma LibLZMA)
+	)
+	${kde_eclass}_src_configure
+}
+
+pkg_postinst() {
+	${kde_eclass}_pkg_postinst
+	elog "For creating rar archives, install app-arch/rar"
+}
diff --git a/kde-base/ark/files/ark-4.6.5-CVE-2011-2725.patch b/kde-base/ark/files/ark-4.6.5-CVE-2011-2725.patch
new file mode 100644
index 000000000000..39cc52a0396a
--- /dev/null
+++ b/kde-base/ark/files/ark-4.6.5-CVE-2011-2725.patch
@@ -0,0 +1,36 @@
+From: Raphael Kubo da Costa <rakuco@FreeBSD.org>
+Date: Mon, 17 Oct 2011 22:28:27 +0000
+Subject: Fix directory traversal issue (CVE-2011-2725).
+X-Git-Url: http://quickgit.kde.org/?p=ark.git&amp;a=commitdiff&amp;h=ccb5448eb2aedd150313ea0af431a9b754176975
+---
+Fix directory traversal issue (CVE-2011-2725).
+
+Tim Brown from Nth Dimension noticed a possible traversal issue where
+the previewer dialog would show (and then remove) the wrong file when
+a maliciously crafted archive had a file previewed.
+
+We now do the same thing as infozip and filter out "../" from the
+paths being previewed.
+---
+
+
+--- a/ark/part/part.cpp
++++ b/ark/part/part.cpp
+@@ -558,8 +558,15 @@ void Part::slotPreviewExtracted(KJob *jo
+     if (!job->error()) {
+         const ArchiveEntry& entry =
+             m_model->entryForIndex(m_view->selectionModel()->currentIndex());
+-        const QString fullName =
+-            m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName ].toString();
++
++        QString fullName =
++            m_previewDir->name() + QLatin1Char('/') + entry[FileName].toString();
++
++        // Make sure a maliciously crafted archive with parent folders named ".." do
++        // not cause the previewed file path to be located outside the temporary
++        // directory, resulting in a directory traversal issue.
++        fullName.remove(QLatin1String("../"));
++
+         ArkViewer::view(fullName, widget());
+     } else {
+         KMessageBox::error(widget(), job->errorString());