Binary files /tmp/tmpMwKN6A/S9MIb6mIgb/karchive-5.18.0/autotests/tar_relative_path_outside_archive.tar.bz2 and /tmp/tmpMwKN6A/osKW7fecUf/karchive-5.18.0/autotests/tar_relative_path_outside_archive.tar.bz2 differ
diff -Nru karchive-5.18.0/debian/changelog karchive-5.18.0/debian/changelog
--- karchive-5.18.0/debian/changelog	2016-03-07 22:18:05.000000000 +0000
+++ karchive-5.18.0/debian/changelog	2017-09-07 15:47:16.000000000 +0000
@@ -1,3 +1,12 @@
+karchive (5.18.0-0ubuntu1.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: KNewstuff downloads can install files outside the
+    extraction directory (LP: #1712948)
+    - fix-CVE-2016-6232.patch
+    - CVE-2016-6232
+
+ -- Simon Quigley <tsimonq2@ubuntu.com>  Sat, 02 Sep 2017 01:06:58 -0500
+
 karchive (5.18.0-0ubuntu1) xenial; urgency=medium
 
   [ Scarlett Clark ]
diff -Nru karchive-5.18.0/debian/control karchive-5.18.0/debian/control
--- karchive-5.18.0/debian/control	2016-03-07 22:18:05.000000000 +0000
+++ karchive-5.18.0/debian/control	2017-09-07 15:47:16.000000000 +0000
@@ -1,7 +1,8 @@
 Source: karchive
 Section: libs
 Priority: optional
-Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
 Uploaders: Maximiliano Curia <maxy@debian.org>
 Build-Depends: cmake (>= 2.8.12),
                debhelper (>= 9),
diff -Nru karchive-5.18.0/debian/patches/fix-CVE-2016-6232.patch karchive-5.18.0/debian/patches/fix-CVE-2016-6232.patch
--- karchive-5.18.0/debian/patches/fix-CVE-2016-6232.patch	1970-01-01 00:00:00.000000000 +0000
+++ karchive-5.18.0/debian/patches/fix-CVE-2016-6232.patch	2017-09-07 15:47:16.000000000 +0000
@@ -0,0 +1,82 @@
+Description: Ensure extraction location to be in subfolder
+ Behavior change: Switch to Tar's default behavior to avoid extraction to
+ arbitrary system locations outside of extraction folder. Instead, extract
+ such files to root location in extraction folder.
+ .
+ This fixes CVE-2016-6232.
+Author: Andreas Cord-Landwehr <cordlandwehr@kde.org>
+Origin: upstream
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1712948
+Applied-Upstream: commit:0cb243
+Last-Update: 2017-09-02
+--- a/autotests/karchivetest.cpp
++++ b/autotests/karchivetest.cpp
+@@ -760,6 +760,24 @@ void KArchiveTest::testTarDirectoryTwice
+ 
+     QCOMPARE(listing.count(), 3);
+ }
++
++void KArchiveTest::testTarIgnoreRelativePathOutsideArchive()
++{
++    // This test extracts a Tar archive that contains a relative path "../foo" pointing
++    // outside of the archive directory. For security reasons extractions should only
++    // be allowed within the extracted directory as long as not specifically asked.
++
++    KTar tar(QFINDTESTDATA(QLatin1String("tar_relative_path_outside_archive.tar.bz2")));
++    QVERIFY(tar.open(QIODevice::ReadOnly));
++
++    const KArchiveDirectory *dir = tar.directory();
++    QTemporaryDir tmpDir;
++    const QString dirName = tmpDir.path() + '/';
++
++    QVERIFY(dir->copyTo(dirName));
++    QVERIFY(!QFile::exists(dirName + "../foo"));
++    QVERIFY(QFile::exists(dirName + "/foo"));
++}
+ ///
+ 
+ static const char s_zipFileName[] = "karchivetest.zip";
+--- a/autotests/karchivetest.h
++++ b/autotests/karchivetest.h
+@@ -76,6 +76,7 @@ private Q_SLOTS:
+     void testTarDirectoryForgotten();
+     void testTarRootDir();
+     void testTarDirectoryTwice();
++    void testTarIgnoreRelativePathOutsideArchive();
+ 
+     void testCreateZip();
+     void testCreateZipError();
+--- a/src/karchive.cpp
++++ b/src/karchive.cpp
+@@ -841,6 +841,7 @@ static bool sortByPosition(const KArchiv
+ bool KArchiveDirectory::copyTo(const QString &dest, bool recursiveCopy) const
+ {
+     QDir root;
++    const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".."
+ 
+     QList<const KArchiveFile *> fileList;
+     QMap<qint64, QString> fileToDir;
+@@ -850,10 +851,20 @@ bool KArchiveDirectory::copyTo(const QSt
+     QStack<QString> dirNameStack;
+ 
+     dirStack.push(this);       // init stack at current directory
+-    dirNameStack.push(dest);   // ... with given path
++    dirNameStack.push(destDir);   // ... with given path
+     do {
+         const KArchiveDirectory *curDir = dirStack.pop();
+-        const QString curDirName = dirNameStack.pop();
++
++        // extract only to specified folder if it is located within archive's extraction folder
++        // otherwise put file under root position in extraction folder
++        QString curDirName = dirNameStack.pop();
++        if (!QDir(curDirName).absolutePath().startsWith(destDir)) {
++            qWarning() << "Attempted export into folder" << curDirName
++                << "which is outside of the extraction root folder" << destDir << "."
++                << "Changing export of contained files to extraction root folder.";
++            curDirName = destDir;
++        }
++
+         if (!root.mkpath(curDirName)) {
+             return false;
+         }
+Binary files /dev/null and b/autotests/tar_relative_path_outside_archive.tar.bz2 differ
diff -Nru karchive-5.18.0/debian/patches/series karchive-5.18.0/debian/patches/series
--- karchive-5.18.0/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ karchive-5.18.0/debian/patches/series	2017-09-07 15:47:16.000000000 +0000
@@ -0,0 +1 @@
+fix-CVE-2016-6232.patch
diff -Nru karchive-5.18.0/debian/source/include-binaries karchive-5.18.0/debian/source/include-binaries
--- karchive-5.18.0/debian/source/include-binaries	1970-01-01 00:00:00.000000000 +0000
+++ karchive-5.18.0/debian/source/include-binaries	2017-09-07 15:47:16.000000000 +0000
@@ -0,0 +1 @@
+autotests/tar_relative_path_outside_archive.tar.bz2