Your message dated Sat, 12 May 2012 13:32:55 +0100 with message-id <dda96cc3369bdcdc1a3cdf68c2fc2f56@mail.adsl.funky-badger.org> and subject line Closing requests for packages included in 6.0.5 has caused the Debian Bug report #664567, regarding pu: kdeutils: diff for NMU version 4:4.4.5-1.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 664567: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664567 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: pu: kdeutils: diff for NMU version 4:4.4.5-1.1
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Sun, 18 Mar 2012 22:41:33 +0000
- Message-id: <20120318224133.GA24972@lupin.home.powdarrmonkey.net>
Package: release.debian.org User: debian-release@lists.debian.org Usertags: pu Dear maintainer, The following NMU is submitted to the release team for consideration to fix bug #635541 in stable. Following their approval I will upload it to DELAYED/5 if you do not object first. RT: please comment/approve. Thanks, -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 <directhex> i have six years of solaris sysadmin experience, from 8->10. i am well qualified to say it is made from bonghits layered on top of bonghitsdiff -Nru kdeutils-4.4.5/debian/changelog kdeutils-4.4.5/debian/changelog --- kdeutils-4.4.5/debian/changelog 2010-07-21 08:47:03.000000000 +0100 +++ kdeutils-4.4.5/debian/changelog 2012-03-18 21:38:38.000000000 +0000 @@ -1,3 +1,11 @@ +kdeutils (4:4.4.5-1.1) stable; urgency=low + + * Non-maintainer upload. + * CVE-2011-2725: Backport patch for upstream directory traversal in Ark + Closes: #635541 (thanks to Moritz Muehlenhoff) + + -- Jonathan Wiltshire <jmw@debian.org> Sun, 18 Mar 2012 21:36:25 +0000 + kdeutils (4:4.4.5-1) unstable; urgency=low [ Modestas Vainius ] diff -Nru kdeutils-4.4.5/debian/patches/CVE-2011-2725.patch kdeutils-4.4.5/debian/patches/CVE-2011-2725.patch --- kdeutils-4.4.5/debian/patches/CVE-2011-2725.patch 1970-01-01 01:00:00.000000000 +0100 +++ kdeutils-4.4.5/debian/patches/CVE-2011-2725.patch 2012-03-18 21:43:23.000000000 +0000 @@ -0,0 +1,27 @@ +Description: fix directory traversal in Ark +Origin: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635541#32 +Bug-Debian: http://bugs.debian.org/635541 +Author: Moritz Muehlenhoff <jmm@debian.org> +Reviewed-By: Jonathan Wiltshire <jmw@debian.org> +Last-Update: 2012-03-18 + +--- kdeutils-4.4.5.orig/ark/part/part.cpp ++++ kdeutils-4.4.5/ark/part/part.cpp +@@ -500,8 +500,15 @@ void Part::slotPreviewExtracted(KJob *jo + if (!job->error()) { + const ArchiveEntry& entry = + m_model->entryForIndex(m_view->selectionModel()->currentIndex()); +- const QString fullName = +- m_previewDir->name() + '/' + entry[ FileName ].toString(); ++ ++ QString fullName = ++ m_previewDir->name() + QLatin1Char('/') + entry[ FileName ].toString(); ++ ++ // Make sure a maliciously crafted archive with parent folders named ".." do ++ // not cause the previewed file path to be located outside the temporary ++ // directory, resulting in a directory traversal issue. ++ fullName.remove(QLatin1String("../")); ++ + ArkViewer::view(fullName, widget()); + } else { + KMessageBox::error(widget(), job->errorString());Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: <623148-done@bugs.debian.org>, <657722-done@bugs.debian.org>, <658424-done@bugs.debian.org>, <660693-done@bugs.debian.org>, <661473-done@bugs.debian.org>, <661652-done@bugs.debian.org>, <663104-done@bugs.debian.org>, <664567-done@bugs.debian.org>, <666001-done@bugs.debian.org>, <666222-done@bugs.debian.org>, <666687-done@bugs.debian.org>, <668456-done@bugs.debian.org>, <670730-done@bugs.debian.org>, <671449-done@bugs.debian.org>
- Subject: Closing requests for packages included in 6.0.5
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 12 May 2012 13:32:55 +0100
- Message-id: <dda96cc3369bdcdc1a3cdf68c2fc2f56@mail.adsl.funky-badger.org>
Version: 6.0.5 Hi,All of the packages referenced by the closed bugs were included in the 6.0.5 point release which occured today.Regards, Adam
--- End Message ---