KGet does not properly sanitise the "name" attribute of the "file" element of metalink files before using it to download files. http://secunia.com/advisories/44124/diff -r1.22 -r1.23 pkgsrc/net/kdenetwork4/Makefile
(markd)
@@ -1,17 +1,17 @@ | @@ -1,17 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.22 2011/04/22 13:44:23 obache Exp $ | 1 | # $NetBSD: Makefile,v 1.23 2011/05/07 22:25:08 markd Exp $ | |
2 | 2 | |||
3 | DISTNAME= kdenetwork-${_KDE_VERSION} | 3 | DISTNAME= kdenetwork-${_KDE_VERSION} | |
4 | PKGREVISION= 2 | 4 | PKGREVISION= 3 | |
5 | CATEGORIES= net | 5 | CATEGORIES= net | |
6 | COMMENT= Network modules for the KDE integrated X11 desktop | 6 | COMMENT= Network modules for the KDE integrated X11 desktop | |
7 | 7 | |||
8 | CONFLICTS= kopete-[0-9]* | 8 | CONFLICTS= kopete-[0-9]* | |
9 | 9 | |||
10 | .include "../../meta-pkgs/kde4/Makefile.kde4" | 10 | .include "../../meta-pkgs/kde4/Makefile.kde4" | |
11 | 11 | |||
12 | # BUILD_MAKE_FLAGS+= VERBOSE=1 | 12 | # BUILD_MAKE_FLAGS+= VERBOSE=1 | |
13 | 13 | |||
14 | # for kded_dnssdwatcher | 14 | # for kded_dnssdwatcher | |
15 | UNLIMIT_RESOURCES+= datasize memorysize stacksize | 15 | UNLIMIT_RESOURCES+= datasize memorysize stacksize | |
16 | 16 | |||
17 | CMAKE_ARGS+= -DWITH_Xmms:BOOL=OFF | 17 | CMAKE_ARGS+= -DWITH_Xmms:BOOL=OFF |
@@ -1,9 +1,10 @@ | @@ -1,9 +1,10 @@ | |||
1 | $NetBSD: distinfo,v 1.16 2011/01/23 07:55:15 markd Exp $ | 1 | $NetBSD: distinfo,v 1.17 2011/05/07 22:25:08 markd Exp $ | |
2 | 2 | |||
3 | SHA1 (kdenetwork-4.5.5.tar.bz2) = 2c7dd0bc1809ac477f46ddb966f232ca3f60bc0a | 3 | SHA1 (kdenetwork-4.5.5.tar.bz2) = 2c7dd0bc1809ac477f46ddb966f232ca3f60bc0a | |
4 | RMD160 (kdenetwork-4.5.5.tar.bz2) = 769829e255830bf360d9796c0ea9dcb12faeac0b | 4 | RMD160 (kdenetwork-4.5.5.tar.bz2) = 769829e255830bf360d9796c0ea9dcb12faeac0b | |
5 | Size (kdenetwork-4.5.5.tar.bz2) = 8148708 bytes | 5 | Size (kdenetwork-4.5.5.tar.bz2) = 8148708 bytes | |
6 | SHA1 (patch-aa) = 0359cd86501c57197242c398d63c1fc77c60a4d0 | 6 | SHA1 (patch-aa) = 0359cd86501c57197242c398d63c1fc77c60a4d0 | |
7 | SHA1 (patch-ab) = 0743b3b6c994623c507b8bcd52ee01dad31cf56f | 7 | SHA1 (patch-ab) = 0743b3b6c994623c507b8bcd52ee01dad31cf56f | |
8 | SHA1 (patch-ae) = 765d48550d2d8b7a59a1593a669b0909fef3bd96 | 8 | SHA1 (patch-ae) = 765d48550d2d8b7a59a1593a669b0909fef3bd96 | |
9 | SHA1 (patch-af) = 5afe11d2691c0f3e9510d2cd1df5b4f736abafbe | 9 | SHA1 (patch-af) = 5afe11d2691c0f3e9510d2cd1df5b4f736abafbe | |
10 | SHA1 (patch-kget_ui_metalinkcreator_metalinker.cpp) = 1c3aaf24097c25120ff95b329e0995bc91843214 |
$NetBSD: patch-kget_ui_metalinkcreator_metalinker.cpp,v 1.1 2011/05/07 22:25:09 markd Exp $
http://secunia.com/advisories/44124/
--- kget/ui/metalinkcreator/metalinker.cpp 2011/04/09 09:24:33 1227468
+++ kget/ui/metalinkcreator/metalinker.cpp 2011/04/09 09:25:23 1227469
@@ -583,7 +583,13 @@
return false;
}
- if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) {
+ if (name.endsWith('/')) {
+ kError(5001) << "Name attribute of Metalink::File does not contain a file name:" << name;
+ return false;
+ }
+
+ const QStringList components = name.split('/');
+ if (name.startsWith('/') || components.contains("..") || components.contains(".")) {
kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name;
return false;
}