Hello, Just wondering if I we need to fix CVE-2016-6232 in kdelib4 or not?
Looks like this is an issue if you try to extract a tar file that contains relative paths outside the archives root. Is this considered a security issue we need to address? Such as this one that comes as a test case: # tar -tvf autotests/tar_relative_path_outside_archive.tar.bz2 tar: Removing leading `../' from member names -rw-r--r-- cordlandwehr/cordlandwehr 5 2016-06-08 02:09 ../foo Looks like the vulnerabilty exists (from inspecting source code only; haven't tried to reproduce it) in wheezy. At quick glance it looks like the patch should be easy to apply (visually at least; patch doesn't seem to like it) as the code looks very similar. Files have been moved to different locations. Although I won't know for certain until I try to apply the patch. I am out of time now, however thought this is a question that should be asked first. Regards -- Brian May <b...@debian.org>