Bug#635541: ark: Directory traversal

To: 635541@bugs.debian.org
Subject: Bug#635541: ark: Directory traversal
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 29 Nov 2011 18:02:11 +0100
Message-id: <20111129170210.GA28723@inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 635541@bugs.debian.org
In-reply-to: <20110726202046.29853.47359.reportbug@pisco.westfalen.local>
References: <20110726202046.29853.47359.reportbug@pisco.westfalen.local>

On Tue, Jul 26, 2011 at 10:20:46PM +0200, Moritz Muehlenhoff wrote:
> Package: ark
> Version: 4:4.6.5-2
> Severity: grave
> Tags: security
> 
> The following was reported on oss-security. There's no CVE assignment
> or any details yet:
> 
> ---
> Date: Mon, 25 Jul 2011 14:45:14 -0400
> From: Jeff Mitchell <mitchell@kde.org>
> Subject: [oss-security] CVE Request: Ark path traversal
> 
> Hello,
> 
> Ark contains a path traversal vulnerability allowing a
> maliciously-crafted zip file to allow for an arbitrary file to be
> displayed and, if the user has appropriate credentials, removed.
> 
> Can we please get a CVE for this?
> 
> Thanks,
> Jeff
> ---
> 
> Could you contact upstream for details?

KDE maintainers, what's the status?

This has been assigned CVE-2011-2725. Red Hat has collected the
information nicely: https://bugzilla.redhat.com/show_bug.cgi?id=725764

Cheers,
        Moritz

Reply to:

Prev by Date: Bug#650333: kget: Unable to add second download with HTTP AUTH
Next by Date: Bug#604429: Please provide an https self signed feed to test
Previous by thread: Bug#650333: kget: Unable to add second download with HTTP AUTH
Next by thread: Bug#604429: Please provide an https self signed feed to test
Index(es):
- Date
- Thread