Andreas Cord-Landwehr discovered that kde4libs, the core libraries for all KDE 4 applications, do not properly handle the extraction of archives with "../" in the file paths. A remote attacker can take advantage of this flaw to overwrite files outside of the extraction folder, if a user is tricked into extracting a specially crafted archive. For the stable distribution (jessie), this problem has been fixed in version 4:4.14.2-5+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 4:4.14.22-2. We recommend that you upgrade your kde4libs packages.
Andreas Cord-Landwehr discovered that kde4libs, the core libraries for all KDE 4 applications, do not properly handle the extraction of archives with "../" in the file paths. A remote attacker can take advantage of this flaw to overwrite files outside of the extraction folder, if a user is tricked into extracting a specially crafted archive.
For the stable distribution (jessie), this problem has been fixed in version 4:4.14.2-5+deb8u1.
For the unstable distribution (sid), this problem has been fixed in version 4:4.14.22-2.
We recommend that you upgrade your kde4libs packages.