[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#635541: marked as done (ark: Directory traversal)



Your message dated Mon, 26 Mar 2012 18:32:48 +0000
with message-id <E1SCEim-000127-Ji@franck.debian.org>
and subject line Bug#635541: fixed in kdeutils 4:4.4.5-1+squeeze1
has caused the Debian Bug report #635541,
regarding ark: Directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
635541: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635541
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: ark
Version: 4:4.6.5-2
Severity: grave
Tags: security

The following was reported on oss-security. There's no CVE assignment
or any details yet:

---
Date: Mon, 25 Jul 2011 14:45:14 -0400
From: Jeff Mitchell <mitchell@kde.org>
Subject: [oss-security] CVE Request: Ark path traversal

Hello,

Ark contains a path traversal vulnerability allowing a
maliciously-crafted zip file to allow for an arbitrary file to be
displayed and, if the user has appropriate credentials, removed.

Can we please get a CVE for this?

Thanks,
Jeff
---

Could you contact upstream for details?

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ark depends on:
ii  kdebase-runtime               4:4.6.5-1  runtime components from the offici
ii  libarchive1                   2.8.4-1    Single library to read/write tar, 
ii  libc6                         2.13-10    Embedded GNU C Library: Shared lib
ii  libkdecore5                   4:4.6.5-2  KDE Platform Core Library
ii  libkdeui5                     4:4.6.5-2  KDE Platform User Interface Librar
ii  libkfile4                     4:4.6.5-2  File Selection Dialog Library for 
ii  libkhtml5                     4:4.6.5-2  KHTML Web Content Rendering Engine
ii  libkio5                       4:4.6.5-2  Network-enabled File Management Li
ii  libkonq5abi1                  4:4.6.5-1  core libraries for Konqueror
ii  libkparts4                    4:4.6.5-2  Framework for the KDE Platform Gra
ii  libkpty4                      4:4.6.5-2  Pseudo Terminal Library for the KD
ii  libqt4-dbus                   4:4.7.3-5  Qt 4 D-Bus module
ii  libqtcore4                    4:4.7.3-5  Qt 4 core module
ii  libqtgui4                     4:4.7.3-5  Qt 4 GUI module
ii  libstdc++6                    4.6.1-4    GNU Standard C++ Library v3

Versions of packages ark recommends:
ii  bzip2                    1.0.5-6         high-quality block-sorting file co
ii  p7zip-full               9.20.1~dfsg.1-2 7z and 7za file archivers with hig
ii  unzip                    6.0-5           De-archiver for .zip files
ii  zip                      3.0-4           Archiver for .zip files

Versions of packages ark suggests:
pn  rar                           <none>     (no description available)
pn  unrar | unrar-free            <none>     (no description available)

-- no debconf information



--- End Message ---
--- Begin Message ---
Source: kdeutils
Source-Version: 4:4.4.5-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
kdeutils, which is due to be installed in the Debian FTP archive:

ark_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/ark_4.4.5-1+squeeze1_amd64.deb
kcalc_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kcalc_4.4.5-1+squeeze1_amd64.deb
kcharselect_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kcharselect_4.4.5-1+squeeze1_amd64.deb
kdelirc_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kdelirc_4.4.5-1+squeeze1_amd64.deb
kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
kdeutils_4.4.5-1+squeeze1.debian.tar.gz
  to main/k/kdeutils/kdeutils_4.4.5-1+squeeze1.debian.tar.gz
kdeutils_4.4.5-1+squeeze1.dsc
  to main/k/kdeutils/kdeutils_4.4.5-1+squeeze1.dsc
kdeutils_4.4.5-1+squeeze1_all.deb
  to main/k/kdeutils/kdeutils_4.4.5-1+squeeze1_all.deb
kdf_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kdf_4.4.5-1+squeeze1_amd64.deb
kfloppy_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kfloppy_4.4.5-1+squeeze1_amd64.deb
kgpg_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kgpg_4.4.5-1+squeeze1_amd64.deb
ktimer_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/ktimer_4.4.5-1+squeeze1_amd64.deb
kwalletmanager_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kwalletmanager_4.4.5-1+squeeze1_amd64.deb
okteta_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/okteta_4.4.5-1+squeeze1_amd64.deb
plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
printer-applet_4.4.5-1+squeeze1_all.deb
  to main/k/kdeutils/printer-applet_4.4.5-1+squeeze1_all.deb
sweeper_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/sweeper_4.4.5-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 635541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated kdeutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Mar 2012 21:36:25 +0000
Source: kdeutils
Binary: kdeutils kdeutils-dbg ark kcalc kcharselect kdelirc kdf kfloppy kgpg ktimer kwalletmanager okteta plasma-scriptengine-superkaramba sweeper printer-applet
Architecture: source all amd64
Version: 4:4.4.5-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 ark        - archive utility
 kcalc      - simple and scientific calculator
 kcharselect - special character utility
 kdelirc    - infrared remote control
 kdeutils   - general-purpose utilities from the official KDE release
 kdeutils-dbg - debugging symbols for the KDE utilities module
 kdf        - disk information utility
 kfloppy    - floppy formatter
 kgpg       - graphical front end for GNU Privacy Guard
 ktimer     - countdown timer
 kwalletmanager - secure password wallet manager
 okteta     - hexadecimal editor for binary files
 plasma-scriptengine-superkaramba - SuperKaramba theme support for the Plasma Workspaces
 printer-applet - manages your printing jobs
 sweeper    - history and temporary file cleaner
Closes: 635541
Changes: 
 kdeutils (4:4.4.5-1+squeeze1) stable; urgency=low
 .
   * Non-maintainer upload.
   * CVE-2011-2725: Backport patch for upstream directory traversal in Ark
     Closes: #635541 (thanks to Moritz Muehlenhoff)
Checksums-Sha1: 
 b9867cee36940b605aee94ccfb77dab8f1a733d7 2530 kdeutils_4.4.5-1+squeeze1.dsc
 c9c00d94e94881d3e798f1aa5653e913a5e3d3ca 15476 kdeutils_4.4.5-1+squeeze1.debian.tar.gz
 b6c93722a11fd1b2bb60f2a750d7efaa80179e0a 11472 kdeutils_4.4.5-1+squeeze1_all.deb
 8855c508767206cc3dad023bb60222703290ea75 40544 printer-applet_4.4.5-1+squeeze1_all.deb
 09e48c85dcef8ca4c239d10a38a78c1a82e5d6fc 25181280 kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
 d08ded18da69ae5256d2e311283e2f903eea2f6e 302482 ark_4.4.5-1+squeeze1_amd64.deb
 10af2d3033d49e971a6deaafbd6fc84423fb8171 159910 kcalc_4.4.5-1+squeeze1_amd64.deb
 231a1d27326bc47526e182ff0a6ee69317209b15 33366 kcharselect_4.4.5-1+squeeze1_amd64.deb
 8478ebe91caaace306132c022ad0357fda9cad0b 278814 kdelirc_4.4.5-1+squeeze1_amd64.deb
 e5c8636527ff2345116ca07c6a63322c57809ecf 333258 kdf_4.4.5-1+squeeze1_amd64.deb
 ae7ef0b203a2f5f2c644cebdfab8eb7e2c310e93 88114 kfloppy_4.4.5-1+squeeze1_amd64.deb
 9a2822171e80dd9265327d73fd7c195216b795f6 1041572 kgpg_4.4.5-1+squeeze1_amd64.deb
 f1edda1d911360e4c00d7f642ebac7fddf24a0bf 136768 ktimer_4.4.5-1+squeeze1_amd64.deb
 ce4f4fcc4dba005b4a07691a728edca6a6020d33 453182 kwalletmanager_4.4.5-1+squeeze1_amd64.deb
 a0f07cd44909b5cb1a9cf3c156db6d19e244021c 710416 okteta_4.4.5-1+squeeze1_amd64.deb
 47860a5e57d6ed4adc0d6e4dfc441edbd6be57b0 351586 plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
 de983933e9527beef50f83d13c2c30014408b6c6 40426 sweeper_4.4.5-1+squeeze1_amd64.deb
Checksums-Sha256: 
 ab3dfe18c77f0a3eaf1d8464b563b13a9c02733c775280954d8ac340b8e67037 2530 kdeutils_4.4.5-1+squeeze1.dsc
 6636a751320dc83df363c103809789cca4f5a5c019ed04ead0f2cdb922800da1 15476 kdeutils_4.4.5-1+squeeze1.debian.tar.gz
 06ce51201f001cd96016102d88af0ac89dc63bfdbc921666af9d4e4e33c3eb70 11472 kdeutils_4.4.5-1+squeeze1_all.deb
 a1b54f5fd2263a865934d36b1883d676b90d3ec7bf1cd11766c554bdea2a5668 40544 printer-applet_4.4.5-1+squeeze1_all.deb
 2f5f125608978e8837a8a92acd66146eaecc9f9db3c1d316e59421ff5b7922ad 25181280 kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
 2d1333f41bbc70085145cb4f2bdae9d05158eb2e763540fe374d25a27e73d80d 302482 ark_4.4.5-1+squeeze1_amd64.deb
 1776b151666f0382f405b35dee11855e491a9f8fa1ed5fb5b58cf45072dc93ec 159910 kcalc_4.4.5-1+squeeze1_amd64.deb
 bf23375ba3088059067a68051a9b7e2911a27db989748284cd7ba3d7cfe2ee27 33366 kcharselect_4.4.5-1+squeeze1_amd64.deb
 858586810be3dfdd335c93fa9226260b81944aaa12d9a03b0ebacad01345c67b 278814 kdelirc_4.4.5-1+squeeze1_amd64.deb
 57f0beafed0f77b5fc58954b7152e1e87613e1cbae39e6d2f58228ba7e3a209d 333258 kdf_4.4.5-1+squeeze1_amd64.deb
 2676d04fb69b6bcd1d5d62f0a3f45629996a4688641833b02ac7081f9e80f8a5 88114 kfloppy_4.4.5-1+squeeze1_amd64.deb
 37e4cf33b9617e824883c7e524f19a5e75f424237b769b764db731b1e865322e 1041572 kgpg_4.4.5-1+squeeze1_amd64.deb
 1e96449e6c90ce81a9f4b499b6c762d740b85e6213e1dbb3c1e47fdfc4b427d9 136768 ktimer_4.4.5-1+squeeze1_amd64.deb
 867159997f4989ffddd927a79e7d66d649a39ae0307269bed5f19efd8944a945 453182 kwalletmanager_4.4.5-1+squeeze1_amd64.deb
 49e90d4da5fab1e0f829586164819c2228d4dddcd6028fbdf0ac09f5a3493397 710416 okteta_4.4.5-1+squeeze1_amd64.deb
 3a79b082835ef1dd6cd5e4c65813337eb72c45d78663b71267a640f30051d4b9 351586 plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
 33b0035458495c6fdfd62cfba1b854b8aa4cef327a29eb5ba2a922909cd8ec32 40426 sweeper_4.4.5-1+squeeze1_amd64.deb
Files: 
 dcb1e2b0fb332e1fa798250ed05c655d 2530 kde optional kdeutils_4.4.5-1+squeeze1.dsc
 0230b278c11ef79daeeb47a53f174ea2 15476 kde optional kdeutils_4.4.5-1+squeeze1.debian.tar.gz
 e18fe94cb88a069e3038a1c28377efa3 11472 kde optional kdeutils_4.4.5-1+squeeze1_all.deb
 b7a19d71abc3a82b2f4d5db7a64c2e11 40544 utils optional printer-applet_4.4.5-1+squeeze1_all.deb
 2baa665e238c6c128cbc0a5236de408c 25181280 debug extra kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
 3c8f6b125b5890244f2a64c9c1b68d8b 302482 utils optional ark_4.4.5-1+squeeze1_amd64.deb
 b599ddbb3c2d66d4c1c418fa949abc25 159910 math optional kcalc_4.4.5-1+squeeze1_amd64.deb
 d535850c6f07f387a4aef54aa5b60c71 33366 utils optional kcharselect_4.4.5-1+squeeze1_amd64.deb
 a0602f883e04421aa1389fc66ab876e6 278814 utils optional kdelirc_4.4.5-1+squeeze1_amd64.deb
 46b6467cba28d401bc222cf98c7ff17e 333258 utils optional kdf_4.4.5-1+squeeze1_amd64.deb
 4588afa275f8fe56d40e541ffe23d761 88114 utils optional kfloppy_4.4.5-1+squeeze1_amd64.deb
 188623084863585dca463680f22bd9fe 1041572 utils optional kgpg_4.4.5-1+squeeze1_amd64.deb
 685449880af70ed586c34ab2d629f518 136768 utils optional ktimer_4.4.5-1+squeeze1_amd64.deb
 04c45a54d8176af3a04bea62213ba80e 453182 utils optional kwalletmanager_4.4.5-1+squeeze1_amd64.deb
 a162b9083d9f3fb8f6823e9742fd0478 710416 kde optional okteta_4.4.5-1+squeeze1_amd64.deb
 8b483ea4ed3c0e3db48b9af58e2590e0 351586 kde optional plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
 25dc1e1080a385a5e695df6cda7717b3 40426 utils optional sweeper_4.4.5-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJPadWMAAoJEFOUR53TUkxR6MMQAJXHDz7B9BRi3+HcU8pdrNoq
1nZY4OJEffzyVfANUvANk65/zMk881dvoVJq0SYdHceOPwoUP5hLeuaR6wqgJhuP
O9gtwRA8duxOQs5dxmh+REdJAIr988Kmr4V83w7ANzFubWnJFAE1CgpoIKP3Fsed
vLJYIsNfofWwEOLHTVAXYMWZhBofYz9Z5HwCBUZk427Yhk8zWGzzhzKTeHpMN4pt
9qgBUgH9+kR0rPeXQrjhQVS1WAbe9BCoomZoGYnjddoXEtr8Lz251tzWxFM9XcAt
OQuRmg3qYJP0QyocVt+TK13HwKgZneIIGgr/4qtsu7FQgbWRwGqX9GPxpshRyO8H
ToJWlqTDQCM2YLqbJWDt9Jdram1JcEXNDiJh1mAKq4/ftaD+eDi32B81p51AVusv
yG40U54iYGTPETvTIQHZB/kMRzj+ZcOviebTCW6vpeGw72FqMhGki4DNGGHe+ZRb
SvSEiDrjpz2Zyv8GRg4qC3axeS4dDGQ3Iv+7MOwPtufs47vZQrcaq5QGQYMaJpAh
mxCTiAfriRC1LycAVwZaNEyGFUTx03Xd1f6XX2+Yw0L1rQIeCjWkMYKo9OPQHe6a
O65pYjt6pNh/n0D0qejS3Kr6DK4ZtwQRbt1icbXcvCypYM4t53L8EsSF1oTTXaRw
aObEpS78q5B5i/vjTIR2
=X86R
-----END PGP SIGNATURE-----



--- End Message ---

Reply to: