For what it's worth, sponsor, the debdiff includes a reference to a new tar file that was included, but obviously you can't see that in the debdiff. Here's a link to it: https://cgit.kde.org/karchive.git/tree/autotests/tar_relative_path_outside_archive.tar.bz2?id=0cb243
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1712948 Title: [CVE] KNewstuff downloads can install files outside the extraction directory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/karchive/+bug/1712948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
