Security Information / 2016 / Security Information -- DSA-3643-1 kde4libs

Debian Security Advisory

DSA-3643-1 kde4libs -- security update

Date Reported:

06 Aug 2016

Affected Packages:

kde4libs

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 832620.
In Mitre's CVE dictionary: CVE-2016-6232.

More information:

Andreas Cord-Landwehr discovered that kde4libs, the core libraries for all KDE 4 applications, do not properly handle the extraction of archives with "../" in the file paths. A remote attacker can take advantage of this flaw to overwrite files outside of the extraction folder, if a user is tricked into extracting a specially crafted archive.

For the stable distribution (jessie), this problem has been fixed in version 4:4.14.2-5+deb8u1.

For the unstable distribution (sid), this problem has been fixed in version 4:4.14.22-2.

We recommend that you upgrade your kde4libs packages.