[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1010180: marked as done (ktexteditor: CVE-2022-23853)

Your message dated Thu, 12 May 2022 22:44:30 +0000
with message-id <E1npHXq-000J2A-3L@fasolo.debian.org>
and subject line Bug#1010180: fixed in ktexteditor 5.93.0-1
has caused the Debian Bug report #1010180,
regarding ktexteditor: CVE-2022-23853
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1010180: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010180
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: ktexteditor
Version: 5.90.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ktexteditor.

CVE-2022-23853[0]:
| The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2
| and KTextEditor before 5.91.0 tries to execute the associated LSP
| server binary when opening a file of a given type. If this binary is
| absent from the PATH, it will try running the LSP server binary in the
| directory of the file that was just opened (due to a misunderstanding
| of the QProcess API, that was never intended). This can be an
| untrusted directory.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-23853
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23853
[1] https://kde.org/info/security/advisory-20220131-1.txt
[2] https://commits.kde.org/ktexteditor/804e49444c093fe58ec0df2ab436565e50dc147e
[3] https://commits.kde.org/ktexteditor/c80f935c345de2e2fb10635202800839ca9697bf

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: ktexteditor
Source-Version: 5.93.0-1
Done: Aurélien COUDERC <coucouf@debian.org>

We believe that the bug you reported is fixed in the latest version of
ktexteditor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1010180@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurélien COUDERC <coucouf@debian.org> (supplier of updated ktexteditor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 May 2022 23:22:49 +0200
Source: ktexteditor
Architecture: source
Version: 5.93.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Aurélien COUDERC <coucouf@debian.org>
Closes: 1010180
Changes:
 ktexteditor (5.93.0-1) unstable; urgency=medium
 .
   [ Aurélien COUDERC ]
   * New upstream release (5.93.0). (Closes: #1010180 and CVE-2022-23853)
   * Update the list of installed files from build logs.
   * Update symbols from build for 5.93.0.
Checksums-Sha1:
 fb5e34622a3e2c779a5e35480449c4cca90566d7 3387 ktexteditor_5.93.0-1.dsc
 3ad02aa33f5e9e58f10022f33afe78a2eaca618a 2376176 ktexteditor_5.93.0.orig.tar.xz
 79907b0815949fbf2dd115b8c9acc8de1648fa97 488 ktexteditor_5.93.0.orig.tar.xz.asc
 6700c3213745db9350fdc8f1f7583891f0dcb113 47868 ktexteditor_5.93.0-1.debian.tar.xz
 4132a8ba9f3fe6b19fd09e5fcc41e6e47b077f04 20160 ktexteditor_5.93.0-1_source.buildinfo
Checksums-Sha256:
 f103aec920b7671a26f30cfa461ec5d646d19958fa9354187af1167d3e27bbbf 3387 ktexteditor_5.93.0-1.dsc
 7af437b882cd2da9cf9780cb660f9242b9c2400a5ff55cf6ca8608b6e62bd6c3 2376176 ktexteditor_5.93.0.orig.tar.xz
 daf29f3e52a537521c124535830bdb77893574b2b1f13a79b5ded78f2a96473d 488 ktexteditor_5.93.0.orig.tar.xz.asc
 9aa1b12b446626e6be01701259b59ef5a69062157c69749035c200bc09093e52 47868 ktexteditor_5.93.0-1.debian.tar.xz
 2ead98662c77658e304e9588cbb9abde4610549d07389fb0844f8d406a936560 20160 ktexteditor_5.93.0-1_source.buildinfo
Files:
 4591c43e8c4702385e225d23c530b955 3387 libs optional ktexteditor_5.93.0-1.dsc
 ca491c2f360df9c344f5fde941e6dedd 2376176 libs optional ktexteditor_5.93.0.orig.tar.xz
 89e1b67167e5fff829d24ea735de65ea 488 libs optional ktexteditor_5.93.0.orig.tar.xz.asc
 af7e0ba2795407043266cb602b547b1d 47868 libs optional ktexteditor_5.93.0-1.debian.tar.xz
 70b2d95c27358b3b3e9d61877f61b679 20160 libs optional ktexteditor_5.93.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEIW//QAAaDgcOKDsfcaflM/KRoyQFAmJ9hOATHGNvdWNvdWZA
ZGViaWFuLm9yZwAKCRBxp+Uz8pGjJFkbD/9QxM4IHt9zPptpHAyA4pw6olDZJdH7
ze/j9PLUXhVWj6gNOAJGObuFyr4v69Ttkp3WHTFSGPEMB4ilyuRPW/I5/OvbK+tr
xx/Y24xCBT+4gJPQ/4bH961TidTiD1LnGALG8BYO94z4hnOMfs50Ts9pow1QAPjO
k7P+NNqmXCQwO34TS2AzujtjUKeSkWUL8Oxweb0JJEQadSrlmlkVoiHWB8hZZXEW
cRbbXfRv0apnt9eZzfXyz06xuZO27T2AVeACg6g1lEvXzfPmeU4YcVlqqXEXIAzx
EzWfPwsJZtGO1nl6y370pJuQoClKN4JuUW62i0ZxlgYH+4vfRxx+Z4+qgVBxN2+z
RywUh/+KDDiML1Yu4tNJ3fliiuMPcvd2ISaLzNso4CBMzzJn7r0f+ve7nxUiVqRT
Q88etQ0JYWTpMHgPpsZzd91UhUC2BvcNQpuUNojnZvRjkZW+6UhWrWlRy9QYdz46
GFfvHFnFwQVzfeQJKIAef5k+/Bvdb6JmFENXa0AB4g55nvTVavKiJYr6Wrub8jc2
TrMJv3HFMo9fCNodViwJFA63f9oJh+a7TsYYfUSlXPGV2pYFg5ITqB2pda46UXkC
VXY3oFvqKlEEzZX29cVm6l0bTwDREZRw5GLzLGubHfoLs5aAAE/qmg6d6m7QwZpp
DSLPh4bjJOSKHw==
=sqLJ
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: