[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security upload for kdewebdev (1:3.3.2-6)



Hi,

I've just made a high-priority upload for kdewebdev (1:3.3.2-6) to
unstable.  The previous upload (-5) fixed a security hole in kommander
(CAN-2005-0754), but it was later realised by upstream that the patch
was not correct.  The new upload (-6) fixes this.

The entire diff between -5 and -6 is included below.  If you could
approve -6 for sarge it would be appreciated.

Thanks - Ben.


diff -u kdewebdev-3.3.2/kommander/executor/instance.cpp kdewebdev-3.3.2/kommander/executor/instance.cpp
--- kdewebdev-3.3.2/kommander/executor/instance.cpp
+++ kdewebdev-3.3.2/kommander/executor/instance.cpp
@@ -147,7 +147,7 @@
 
   bool inTemp = false;
   for (QStringList::ConstIterator I = tmpDirs.begin(); I != tmpDirs.end(); ++I)
-    if (m_uiFileName.directory().startsWith(*I))
+    if (m_uiFileName.directory(false).startsWith(*I))
       inTemp = true;
 
   if (inTemp)
diff -u kdewebdev-3.3.2/debian/changelog kdewebdev-3.3.2/debian/changelog
--- kdewebdev-3.3.2/debian/changelog
+++ kdewebdev-3.3.2/debian/changelog
@@ -1,3 +1,11 @@
+kdewebdev (1:3.3.2-6) unstable; urgency=high
+
+  * Security upload.
+  * Fixed the patch for CAN-2005-0754.  The previous patch from 1:3.3.2-5 was
+    incorrect, and still allowed execution of files served from /tmp.
+
+ -- Ben Burton <bab@debian.org>  Thu,  5 May 2005 14:32:03 +1000
+
 kdewebdev (1:3.3.2-5) unstable; urgency=high
 
   * Security upload.



Reply to: