Bug#635541: marked as done (ark: Directory traversal)
Your message dated Sat, 03 Dec 2011 12:33:15 +0000
with message-id <E1RWomJ-0006y9-JW@franck.debian.org>
and subject line Bug#635541: fixed in kdeutils 4:4.6.5-4
has caused the Debian Bug report #635541,
regarding ark: Directory traversal
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
635541: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635541
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ark: Directory traversal
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Tue, 26 Jul 2011 22:20:46 +0200
- Message-id: <20110726202046.29853.47359.reportbug@pisco.westfalen.local>
Package: ark
Version: 4:4.6.5-2
Severity: grave
Tags: security
The following was reported on oss-security. There's no CVE assignment
or any details yet:
---
Date: Mon, 25 Jul 2011 14:45:14 -0400
From: Jeff Mitchell <mitchell@kde.org>
Subject: [oss-security] CVE Request: Ark path traversal
Hello,
Ark contains a path traversal vulnerability allowing a
maliciously-crafted zip file to allow for an arbitrary file to be
displayed and, if the user has appropriate credentials, removed.
Can we please get a CVE for this?
Thanks,
Jeff
---
Could you contact upstream for details?
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ark depends on:
ii kdebase-runtime 4:4.6.5-1 runtime components from the offici
ii libarchive1 2.8.4-1 Single library to read/write tar,
ii libc6 2.13-10 Embedded GNU C Library: Shared lib
ii libkdecore5 4:4.6.5-2 KDE Platform Core Library
ii libkdeui5 4:4.6.5-2 KDE Platform User Interface Librar
ii libkfile4 4:4.6.5-2 File Selection Dialog Library for
ii libkhtml5 4:4.6.5-2 KHTML Web Content Rendering Engine
ii libkio5 4:4.6.5-2 Network-enabled File Management Li
ii libkonq5abi1 4:4.6.5-1 core libraries for Konqueror
ii libkparts4 4:4.6.5-2 Framework for the KDE Platform Gra
ii libkpty4 4:4.6.5-2 Pseudo Terminal Library for the KD
ii libqt4-dbus 4:4.7.3-5 Qt 4 D-Bus module
ii libqtcore4 4:4.7.3-5 Qt 4 core module
ii libqtgui4 4:4.7.3-5 Qt 4 GUI module
ii libstdc++6 4.6.1-4 GNU Standard C++ Library v3
Versions of packages ark recommends:
ii bzip2 1.0.5-6 high-quality block-sorting file co
ii p7zip-full 9.20.1~dfsg.1-2 7z and 7za file archivers with hig
ii unzip 6.0-5 De-archiver for .zip files
ii zip 3.0-4 Archiver for .zip files
Versions of packages ark suggests:
pn rar <none> (no description available)
pn unrar | unrar-free <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: kdeutils
Source-Version: 4:4.6.5-4
We believe that the bug you reported is fixed in the latest version of
kdeutils, which is due to be installed in the Debian FTP archive:
ark_4.6.5-4_amd64.deb
to main/k/kdeutils/ark_4.6.5-4_amd64.deb
filelight_4.6.5-4_amd64.deb
to main/k/kdeutils/filelight_4.6.5-4_amd64.deb
kcalc_4.6.5-4_amd64.deb
to main/k/kdeutils/kcalc_4.6.5-4_amd64.deb
kcharselect_4.6.5-4_amd64.deb
to main/k/kdeutils/kcharselect_4.6.5-4_amd64.deb
kdelirc_4.6.5-4_all.deb
to main/k/kdeutils/kdelirc_4.6.5-4_all.deb
kdeutils-dbg_4.6.5-4_amd64.deb
to main/k/kdeutils/kdeutils-dbg_4.6.5-4_amd64.deb
kdeutils_4.6.5-4.debian.tar.gz
to main/k/kdeutils/kdeutils_4.6.5-4.debian.tar.gz
kdeutils_4.6.5-4.dsc
to main/k/kdeutils/kdeutils_4.6.5-4.dsc
kdeutils_4.6.5-4_all.deb
to main/k/kdeutils/kdeutils_4.6.5-4_all.deb
kdf_4.6.5-4_amd64.deb
to main/k/kdeutils/kdf_4.6.5-4_amd64.deb
kfloppy_4.6.5-4_amd64.deb
to main/k/kdeutils/kfloppy_4.6.5-4_amd64.deb
kgpg_4.6.5-4_amd64.deb
to main/k/kdeutils/kgpg_4.6.5-4_amd64.deb
kremotecontrol_4.6.5-4_amd64.deb
to main/k/kdeutils/kremotecontrol_4.6.5-4_amd64.deb
ktimer_4.6.5-4_amd64.deb
to main/k/kdeutils/ktimer_4.6.5-4_amd64.deb
kwalletmanager_4.6.5-4_amd64.deb
to main/k/kdeutils/kwalletmanager_4.6.5-4_amd64.deb
plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
to main/k/kdeutils/plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
printer-applet_4.6.5-4_all.deb
to main/k/kdeutils/printer-applet_4.6.5-4_all.deb
sweeper_4.6.5-4_amd64.deb
to main/k/kdeutils/sweeper_4.6.5-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 635541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdeutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 03 Dec 2011 12:32:27 +0100
Source: kdeutils
Binary: kdeutils kdeutils-dbg ark kcalc kcharselect kremotecontrol kdelirc kdf kfloppy kgpg ktimer kwalletmanager plasma-scriptengine-superkaramba sweeper printer-applet filelight
Architecture: source all amd64
Version: 4:4.6.5-4
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description:
ark - archive utility
filelight - show where your diskspace is being used
kcalc - simple and scientific calculator
kcharselect - special character utility
kdelirc - transitional package for kremotecontrol
kdeutils - general-purpose utilities from the official KDE SC release
kdeutils-dbg - debugging symbols for the KDE SC utilities module
kdf - disk information utility
kfloppy - floppy formatter
kgpg - graphical front end for GNU Privacy Guard
kremotecontrol - frontend for using remote controls
ktimer - countdown timer
kwalletmanager - secure password wallet manager
plasma-scriptengine-superkaramba - SuperKaramba theme support for the Plasma Workspaces
printer-applet - manages your printing jobs
sweeper - history and temporary file cleaner
Closes: 635541
Changes:
kdeutils (4:4.6.5-4) unstable; urgency=high
.
[ Pino Toscano ]
* Backport the upstream r1259334 from the 4.6 branch to fix the Ark
directory traversal, CVE-2011-2725. (Closes: #635541)
Checksums-Sha1:
c2910dcb68ab39426770f3897db5d6ae004947ce 2400 kdeutils_4.6.5-4.dsc
d17049f409509d2f5f7470d962fa229f9ec45035 16542 kdeutils_4.6.5-4.debian.tar.gz
b681b21a100c8a3ae2298ab0e53573c9703d8ac9 11082 kdeutils_4.6.5-4_all.deb
60eed14a918f325a9cfa9c42762914a6d440fb1b 18525018 kdeutils-dbg_4.6.5-4_amd64.deb
6f02a36ed8d02cfa6bf11db7acdb674077bcad0e 391304 ark_4.6.5-4_amd64.deb
d6d03a5ea5bdca86e75f4a6c32a71d42cf322461 154754 kcalc_4.6.5-4_amd64.deb
8f1e8026611a3891c0f540d43e3669fa8ccd77ec 93878 kcharselect_4.6.5-4_amd64.deb
98a7072e2d6ba386f6cede985b489d7f7a1656ad 1201688 kremotecontrol_4.6.5-4_amd64.deb
961a8c9be2e7b2c210d1250844b481f769506fd9 11026 kdelirc_4.6.5-4_all.deb
142b64821a5a67dd74c50905ab90e156d7f0f291 315856 kdf_4.6.5-4_amd64.deb
27d49028a159a9adfdf40f67c66b41deedc827c1 83448 kfloppy_4.6.5-4_amd64.deb
44b238cd6ac6c56ec830f850a20515fe7953a8e3 1023690 kgpg_4.6.5-4_amd64.deb
c8fa8dd2d0f17d644db8ff10916c09c6370f7814 204586 ktimer_4.6.5-4_amd64.deb
f8c79f3c3b72b2e50e8605b08617eae7ce6ca98a 402826 kwalletmanager_4.6.5-4_amd64.deb
5bcd91846c7bfb9cc0e42b14e9c28a4ed432bc9a 365000 plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
2a8ddbeeacb70fe13b3211b3deaf9ce642ff555b 107444 sweeper_4.6.5-4_amd64.deb
559164f7995e7130a69d4b82f3b7589e2b39bf43 43566 printer-applet_4.6.5-4_all.deb
027215419b59ef1be41c49fd77019d828d80b456 342444 filelight_4.6.5-4_amd64.deb
Checksums-Sha256:
08cacdb17024a5aa7fe68f7a3c9c2c5d350dc4d6ee58e3bdacc85cbe9b82dffa 2400 kdeutils_4.6.5-4.dsc
59b3cf25fba2d6107ad0c38ddf21a273efde16f1abadfeef2dab47feaad7cafe 16542 kdeutils_4.6.5-4.debian.tar.gz
cc5c542b584262a1bc1fc5b178fcad9a8254a57b0e00ca39ae1c69dcc77071ba 11082 kdeutils_4.6.5-4_all.deb
749c243eade2d11e629e531b5d144172abc37a2f3af0ece36dab344d06ea220f 18525018 kdeutils-dbg_4.6.5-4_amd64.deb
cc25c48d655ff67965704f92dba8be06c4f865005eb9121a2e8c9eba17e5eb28 391304 ark_4.6.5-4_amd64.deb
e9e5db952d2427aa3feb9daf8251152a418891bc969a41d44cdb448ccd90487f 154754 kcalc_4.6.5-4_amd64.deb
07aa2785d8faa0817de0f3adc3249a61089d922d793dfc2f4a61ed5d752dc34b 93878 kcharselect_4.6.5-4_amd64.deb
c9008dc2d71bf05c886c13226ca6c71a0bd7c38ef0028f81860cd75b025abc50 1201688 kremotecontrol_4.6.5-4_amd64.deb
9d24d91cc23b894a7f3ca4dac09e0a1bb87d7956a2ae0043624be0d519e058f8 11026 kdelirc_4.6.5-4_all.deb
3c37e58a31f07e1ce259065e0da3fef0541694d5b34936e76df523aae3ea6cef 315856 kdf_4.6.5-4_amd64.deb
878b29fad5b720897d24f9ef0ff9a33ef32d9a1e6ed6116ba86d50a702b0ed05 83448 kfloppy_4.6.5-4_amd64.deb
d644410683e48d1589b18f24861954c0123df63f7d4418fee59ce0be382ba789 1023690 kgpg_4.6.5-4_amd64.deb
ba1ab9bb47905796bb18c5d492f7726fe94c3ccdbab932074edca2125e358453 204586 ktimer_4.6.5-4_amd64.deb
508e5a5008006463fba0c9ba73a4092195385884cc8f660ce18f8e663ee68500 402826 kwalletmanager_4.6.5-4_amd64.deb
e810411dc337a86436f044486015b2a5313729109f7b9422f41b4d7884f918b2 365000 plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
25cfa2b496efba641f766f75bf18188a2f0e36dd7511b5bc820ec43e9a25d325 107444 sweeper_4.6.5-4_amd64.deb
071b159b385ae511894e82803798307ab182692c170551b9b888c7212cc80138 43566 printer-applet_4.6.5-4_all.deb
445c294d1587743ba6238f8955df492e917e2a97856dbf0c63a3d51ebe53953e 342444 filelight_4.6.5-4_amd64.deb
Files:
235d1021ba02e63fe149800568cf18b1 2400 kde optional kdeutils_4.6.5-4.dsc
a1ae15cc6f7bd99feef386a82ae95652 16542 kde optional kdeutils_4.6.5-4.debian.tar.gz
d00071b4343455d6ee1788453962a360 11082 kde optional kdeutils_4.6.5-4_all.deb
446e73bda033d2fba5b7b33c82828333 18525018 debug extra kdeutils-dbg_4.6.5-4_amd64.deb
4b5a28c0a52c3cb36584d840d2f81f5d 391304 utils optional ark_4.6.5-4_amd64.deb
f62bd5ab26ea6a7728e8ab4a4a01e2c2 154754 math optional kcalc_4.6.5-4_amd64.deb
297035f4167932712b41f5c23f8b8b90 93878 utils optional kcharselect_4.6.5-4_amd64.deb
6804bef1bfff7d0ef17b18d7ab8dfbd2 1201688 utils optional kremotecontrol_4.6.5-4_amd64.deb
997e27cda8a5e0b7fdfd4aa23d2869e2 11026 utils optional kdelirc_4.6.5-4_all.deb
cf65926d2650f3965bf90c0dba2922b7 315856 utils optional kdf_4.6.5-4_amd64.deb
3a3c267f3c149cdf8161aeefda39555d 83448 utils optional kfloppy_4.6.5-4_amd64.deb
d1ec1e8e93855f8a16683a561fa78a6b 1023690 utils optional kgpg_4.6.5-4_amd64.deb
510c37f1283296c61f13be239020e445 204586 utils optional ktimer_4.6.5-4_amd64.deb
dc150bd0d13b989d573933dce64fb638 402826 utils optional kwalletmanager_4.6.5-4_amd64.deb
ccc4221a059db4f581b63b3bfe58b40b 365000 kde optional plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
be8874d46bf0841f0130db62a860fbbb 107444 utils optional sweeper_4.6.5-4_amd64.deb
71369b7b93e048779094b3ea8d6facc4 43566 utils optional printer-applet_4.6.5-4_all.deb
c64a28adf5758614ad1bd2cd512c2152 342444 kde optional filelight_4.6.5-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFO2hMKTNH2piB/L3oRAi2fAJsFnFQ41/kZmyw7AWZGeQtxaVqWJwCfdL/w
kPMJs1NiOEEvED5I7u2iZd4=
=kmHo
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: