CVE-2016-6232

Published: 18 July 2016

Directory traversal vulnerability in KArchive before 5.24, as used in KDE Frameworks, allows remote attackers to write to arbitrary files via a ../ (dot dot slash) in a filename in an archive file, related to KNewsstuff downloads.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
karchive
Launchpad, Ubuntu, Debian
Upstream
Released (5.24.0)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus)
Released (5.18.0-0ubuntu1.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://cgit.kde.org/karchive.git/commit/?id=0cb243f64eef45565741b27364cece7d5c349c37
kde4libs
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4:4.14.34-0ubuntu2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4:4.14.16-0ubuntu3.3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (4:4.13.3-0ubuntu0.3)