PublicDateAtUSN: 2016-07-18
Candidate: CVE-2016-6232
PublicDate: 2016-08-02 16:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6232
 https://git.reviewboard.kde.org/r/128185/
 http://seclists.org/oss-sec/2016/q3/78
 https://www.kde.org/info/security/advisory-20160724-1.txt
 https://ubuntu.com/security/notices/USN-3042-1
 https://ubuntu.com/security/notices/USN-4100-1
Description:
 Directory traversal vulnerability in KArchive before 5.24, as used in KDE
 Frameworks, allows remote attackers to write to arbitrary files via a ../
 (dot dot slash) in a filename in an archive file, related to KNewsstuff
 downloads.
Ubuntu-Description:
Notes:
Bugs:
 https://launchpad.net/bugs/1712948
Priority: medium
Discovered-by: Andreas Cord-Landwehr
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]

Patches_karchive:
 upstream: https://cgit.kde.org/karchive.git/commit/?id=0cb243f64eef45565741b27364cece7d5c349c37
upstream_karchive: released (5.24.0)
precise_karchive: DNE
precise/esm_karchive: DNE
trusty_karchive: DNE
trusty/esm_karchive: DNE
vivid/stable-phone-overlay_karchive: DNE
vivid/ubuntu-core_karchive: DNE
wily_karchive: ignored (reached end-of-life)
xenial_karchive: released (5.18.0-0ubuntu1.1)
yakkety_karchive: ignored (reached end-of-life)
zesty_karchive: not-affected (5.31.0-0ubuntu1)
artful_karchive: not-affected
bionic_karchive: not-affected
cosmic_karchive: not-affected
disco_karchive: not-affected
devel_karchive: not-affected

Patches_kde4libs:
upstream_kde4libs: needed
precise_kde4libs: released (4:4.8.5-0ubuntu0.5)
precise/esm_kde4libs: DNE (precise was released [4:4.8.5-0ubuntu0.5])
trusty_kde4libs: released (4:4.13.3-0ubuntu0.3)
trusty/esm_kde4libs: released (4:4.13.3-0ubuntu0.3)
vivid/stable-phone-overlay_kde4libs: DNE
vivid/ubuntu-core_kde4libs: DNE
wily_kde4libs: released (4:4.14.13-0ubuntu1.1)
xenial_kde4libs: released (4:4.14.16-0ubuntu3.3)
yakkety_kde4libs: ignored (reached end-of-life)
zesty_kde4libs: not-affected (4:4.14.30-0ubuntu1.1)
artful_kde4libs: not-affected (4:4.14.34-0ubuntu2)
bionic_kde4libs: not-affected (4:4.14.34-0ubuntu2)
cosmic_kde4libs: not-affected (4:4.14.34-0ubuntu2)
disco_kde4libs: not-affected (4:4.14.34-0ubuntu2)
devel_kde4libs: DNE