Bug#854861: unblock: ark/4:16.08.3-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear release team,
the current version of ark for stretch is affected by CVE-2017-5330 as
reported in 850874, the bug is currently tagged as can-defer, but
since we have an upstream patch it seems to make sense to include it for
stretch.
I'm attaching the debdiff against the package in testing.
Happy hacking,
unblock ark/4:16.08.3-2
- -- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'buildd-unstable'), (500, 'testing'), (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEE+JIdOnQEyG4RNSIVxxl2mbKbIyoFAlie56cQHG1heHlAZGVi
aWFuLm9yZwAKCRDHGXaZspsjKr5pD/9doResH+xEc/30aUDJYcGhy5V76+Dh9+z8
2zYxpSZDTkSCI4RkupKTWoywWjOQ5dwYA+blzvwrwvFpxvHZmdcRvh0+KsjCtW4F
spg4x3bXQ4V8vYiXnVzF5CJW34e8NU+CBN6oGA1VwL1TV7er1vlSIPFcCiJ31Oi9
bRtIVWlDrWitpoVnKP4cWM9F0y1zViueSiw8fbH4yf99K8sJWyBiC93mAew2neYJ
APXN/dDhsCeGXdrArJ8IbMvnFviNdCtmBWKkaqkGDyUjKG7ksDSgAY963un46DFo
chtV8j9iic0+dtM4ZDyg/HrjqvpnXy52yjQPJDS6bdTg16uPGRCkj/vkwV5DzmyY
HGJh4geKI4xeqwJJQzL+/8PEixUd5IoegkEtMPFGOA7sqlXC0l4iebt/uFJlSzUK
KbhNp8hBJ713I0EYDluOesJRgMw0cWJgSDQ9mByDJ69l0oqJS8dmrtKXdv8Rdr33
Z6iu99gQY6IV1M0zE3cP1MiKECyWw/TPq4ZYX5bboqLcXQHwvH8JEIvo7nc5dHR3
8HfLOUx6fzSBxt6kvt+BVsjL1fdX1wT5tzrXpXLL8HldxBFMjUR0wMW5nBsegYXV
iNnVgWYXFni+iC1qngc9734+9rtQyVZmsZHMIFLAGOLeLjx8u6fWb5W/BZJRvqlL
N3dwVGw9xw==
=mTkO
-----END PGP SIGNATURE-----
diff -Nru ark-16.08.3/debian/changelog ark-16.08.3/debian/changelog
--- ark-16.08.3/debian/changelog 2016-11-23 20:48:43.000000000 +0100
+++ ark-16.08.3/debian/changelog 2017-02-10 16:29:46.000000000 +0100
@@ -1,3 +1,10 @@
+ark (4:16.08.3-2) unstable; urgency=medium
+
+ * Add new patch: Stop-running-executables-when-opening-urls.patch (CVE-2017-5330)
+ Thanks to Salvatore Bonaccorso for reporting (Closes: 850874)
+
+ -- Maximiliano Curia <maxy@debian.org> Fri, 10 Feb 2017 16:29:46 +0100
+
ark (4:16.08.3-1) unstable; urgency=medium
* New upstream release (16.08.3)
diff -Nru ark-16.08.3/debian/patches/series ark-16.08.3/debian/patches/series
--- ark-16.08.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ ark-16.08.3/debian/patches/series 2017-02-10 16:29:46.000000000 +0100
@@ -0,0 +1 @@
+Stop-running-executables-when-opening-urls.patch
diff -Nru ark-16.08.3/debian/patches/Stop-running-executables-when-opening-urls.patch ark-16.08.3/debian/patches/Stop-running-executables-when-opening-urls.patch
--- ark-16.08.3/debian/patches/Stop-running-executables-when-opening-urls.patch 1970-01-01 01:00:00.000000000 +0100
+++ ark-16.08.3/debian/patches/Stop-running-executables-when-opening-urls.patch 2017-02-10 16:29:46.000000000 +0100
@@ -0,0 +1,26 @@
+From: Elvis Angelaccio <elvis.angelaccio@kde.org>
+Date: Fri, 6 Jan 2017 15:35:46 +0100
+Subject: Stop running executables when opening urls
+
+This is a security risk because it's not clear when an entry in an
+archive is an executable.
+
+BUG: 374572
+FIXED-IN: 16.12.1
+---
+ part/part.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/part/part.cpp b/part/part.cpp
+index 0bb2bcb9..f71fc77b 100644
+--- a/part/part.cpp
++++ b/part/part.cpp
+@@ -945,7 +945,7 @@ void Part::slotOpenExtractedEntry(KJob *job)
+ } else {
+ KRun::runUrl(QUrl::fromUserInput(fullName, QString(), QUrl::AssumeLocalFile),
+ QMimeDatabase().mimeTypeForFile(fullName).name(),
+- widget());
++ widget(), false, false);
+ }
+ } else if (job->error() != KJob::KilledJobError) {
+ KMessageBox::error(widget(), job->errorString());
Reply to: