KGet in KDE contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the KGetMetalink::File::isValidNameAttr function in ui/metalinkcreator/metalinker.cpp not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the name attribute of a file element in a metalink file. This directory traversal attack would allow a remote attacker to create arbitrary files.

Currently, there are no known workarounds or upgrades to correct this issue. However, a patch has been released in the SVN repository to address this vulnerability. Check the vendor advisory or solution in the references section.

• CVE ID: 2011-1586 (see also: NVD)
• Secunia Advisory ID: 44124 44176 44329
• Related OSVDB ID: 64690
• ISS X-Force ID: 66826
• VUPEN Advisory: ADV-2011-1019 ADV-2011-1021 ADV-2011-1135
• Other Advisory URL: http://openwall.com/lists/oss-security/2011/04/15/9
  http://www.mandriva.com/security/advisories?name=MDVSA-2011:081
  http://www.ubuntu.com/usn/usn-1114-1/
• Mail List Post: http://seclists.org/fulldisclosure/2011/May/42
• Vendor Specific News/Changelog Entry: http://websvn.kde.org/branches/KDE/4.4/kdenetwork/kget/ui/metalinkcreator/metalinker.cpp?r1=1227468&r2=1227467&pathrev=1227468
  http://websvn.kde.org/branches/KDE/4.5/kdenetwork/kget/ui/metalinkcreator/metalinker.cpp?r1=1227469&r2=1227468&pathrev=1227469
  http://websvn.kde.org/branches/KDE/4.6/kdenetwork/kget/ui/metalinkcreator/metalinker.cpp?r1=1227471&r2=1227470&pathrev=1227471
  https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/757526
  https://bugzilla.redhat.com/show_bug.cgi?id=697042
  https://launchpad.net/bugs/757526
• Vendor URL: http://www.kde.org/
• Vendor Specific Advisory URL: http://www.ubuntu.com/usn/usn-1114-1/
• RedHat RHSA: https://rhn.redhat.com/errata/RHSA-2011-0465.html
  RHSA-2011:0465

• Not Available