429925 – ZIP directory traversal though document title corrupts .kra files

Bug 429925 - ZIP directory traversal though document title corrupts .kra files

Summary: ZIP directory traversal though document title corrupts .kra files

Status:	ASSIGNED

Alias:	None

Product:	krita
Classification:	Applications
Component:	File formats (show other bugs)
Version:	4.4.1
Platform:	Neon Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Tiar

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-12-02 13:23 UTC by Nagy Tibor
Modified:	2022-01-08 17:21 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Observed result (46.06 KB, image/png) 2020-12-02 13:23 UTC, Nagy Tibor	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Nagy Tibor 2020-12-02 13:23:39 UTC

Created attachment 133807 [details]
Observed result

SUMMARY
Entering relative paths to the document title field corrupts .kra files on save through a ZIP directory traversal bug.

KDE Ark also flags these archives as "contains ill-formed entries and might be a malicious archive".

STEPS TO REPRODUCE
1. Create a new document
2. File -> Document Information -> General -> Title
3. Enter "../../../../../test/" as the document title (without quotes)
4. Save as .kra and close the document
5. Reopen the document

OBSERVED RESULT
See attachment.

EXPECTED RESULT
Don't corrupt documents on save whatever the document title is.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: KDE neon 5.20
KDE Plasma Version: 5.20.3
KDE Frameworks Version: 5.76.0
Qt Version: 5.15.1

ADDITIONAL INFORMATION

Comment 1 Halla Rempt 2020-12-02 13:27:38 UTC

Yes, I can confirm this. I guess it's not a real problem in practice, but we'll have to fix it.

Comment 2 Bug Janitor Service 2022-01-08 17:21:12 UTC

A possibly relevant merge request was started @ https://invent.kde.org/graphics/krita/-/merge_requests/1290