[Bug 757526] Re: Updated fix for CVE-2010-1000
Jamie Strandboge
jamie at ubuntu.com
Thu Apr 14 22:35:44 UTC 2011
Romain, thanks for the patches. I am reviewing them now.
Felix, you stated 'The previous patch still allows up traversal at the beginning, e.g. "../foo/bar".' In bug #578856 (the original bug for CVE-2010-1000) I created a metalink file that used '<file name="../../../tmp/secunia.png">', which as you can see specifically tested if '../' was at the beginning of the string. In fact, I just tested on maverick with the metalink file I provided and when I try to open it, I see kget outputs:
kget(3314): Name attribute of Metalink::File contains directory traversal directives: "../../../tmp/secunia.png"
AFAICS, '../' at the beginning is covered. This is the code in question that was changed:
if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/.."))
Maybe I am blind, but I don't see what the problem is (I also tried
metalink files with different combinations of '../' in the path). All I
can see is that upstream check if the target file is a directory, and no
longer allows '.' in the name. Can you give a string that demonstrates a
file traversal/overwrite with the unpatched code?
** Changed in: kdenetwork (Ubuntu Karmic)
Status: New => Incomplete
** Changed in: kdenetwork (Ubuntu Lucid)
Status: New => Incomplete
** Changed in: kdenetwork (Ubuntu Maverick)
Status: New => Incomplete
** Changed in: kdenetwork (Ubuntu Karmic)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: kdenetwork (Ubuntu Lucid)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
** Changed in: kdenetwork (Ubuntu Maverick)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kdenetwork in Ubuntu.
https://bugs.launchpad.net/bugs/757526
Title:
Updated fix for CVE-2010-1000
More information about the kubuntu-bugs
mailing list