From 0004c7cba6d0b901f7cdb86a7876499fefeac422 Mon Sep 17 00:00:00 2001
From: pangqing <pangqing@uniontech.com>
Date: Fri, 6 Sep 2024 23:30:36 +0800
Subject: [PATCH] CVE-2021-38291

Signed-off-by: pangqing <pangqing@uniontech.com>
---
 backport-CVE-2021-38291.patch | 28 ++++++++++++++++++++++++++++
 deepin-compressor.spec        |  8 ++++++--
 2 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 backport-CVE-2021-38291.patch

diff --git a/backport-CVE-2021-38291.patch b/backport-CVE-2021-38291.patch
new file mode 100644
index 0000000..1927b72
--- /dev/null
+++ b/backport-CVE-2021-38291.patch
@@ -0,0 +1,28 @@
+From 16139a75c8a678504f0e72b1469e5a2313ca530b Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Fri, 6 Sep 2024 23:24:23 +0800
+Subject: [PATCH] CVE-2021-38291
+
+---
+ 3rdparty/libzipplugin/libzipplugin.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/3rdparty/libzipplugin/libzipplugin.cpp b/3rdparty/libzipplugin/libzipplugin.cpp
+index 3499046..3044470 100644
+--- a/3rdparty/libzipplugin/libzipplugin.cpp
++++ b/3rdparty/libzipplugin/libzipplugin.cpp
+@@ -677,6 +677,11 @@ ErrorType LibzipPlugin::extractEntry(zip_t *archive, zip_int64_t index, const Ex
+ 
+     strFileName = m_common->trans2uft8(statBuffer.name, m_mapFileCode[index]);    // 解压文件名（压缩包中）
+     // 提取
++    //fix 232873
++    if(strFileName.indexOf("../") != -1) {
++        qInfo() << "skipped ../ path component(s) in " << strFileName;
++        strFileName = strFileName.replace("../", "");
++    }
+     if (!options.strDestination.isEmpty()) {
+         strFileName = strFileName.remove(0, options.strDestination.size());
+     }
+-- 
+2.39.3
+
diff --git a/deepin-compressor.spec b/deepin-compressor.spec
index ba1d3f1..3c77059 100644
--- a/deepin-compressor.spec
+++ b/deepin-compressor.spec
@@ -1,10 +1,11 @@
 Name:           deepin-compressor
 Version:        5.10.11
-Release:        3 
+Release:        4 
 Summary:        A fast and lightweight application for creating and extracting archives
 License:        GPLv3+
 URL:            https://github.com/linuxdeepin/deepin-devicemanager
 Source0:        %{name}-%{version}.tar.gz
+Patch0:         backport-CVE-2021-38291.patch
 
 BuildRequires: gcc-c++
 BuildRequires: cmake
@@ -36,7 +37,7 @@ Recommends: unrar p7zip-plugins
 %{summary}.
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
 export PATH=%{_qt5_bindir}:$PATH
@@ -64,6 +65,9 @@ popd
 %{_datadir}/applications/context-menus/*.conf
 
 %changelog
+* Fri Sep 06 2024 pangqing <pangqing@uniontech.com> - 5.10.11-4
+- CVE-2021-38291
+
 * Fri Nov 24 2023 haomimi <haomimi@uniontech.com> - 5.10.11-3
 - Remove unnecessary macro decisions
 
-- 
Gitee