[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#854861: marked as done (unblock: ark/4:16.08.3-2)

Your message dated Sat, 11 Feb 2017 10:33:00 +0000
with message-id <f5ac99e0-563d-25d9-94aa-be8d2fe94155@thykier.net>
and subject line Re: Bug#854861: unblock: ark/4:16.08.3-2
has caused the Debian Bug report #854861,
regarding unblock: ark/4:16.08.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
854861: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854861
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear release team,

the current version of ark for stretch is affected by CVE-2017-5330 as 
reported in 850874, the bug is currently tagged as can-defer, but 
since we have an upstream patch it seems to make sense to include it for 
stretch.

I'm attaching the debdiff against the package in testing.

Happy hacking,

unblock ark/4:16.08.3-2

- -- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'buildd-unstable'), (500, 'testing'), (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEE+JIdOnQEyG4RNSIVxxl2mbKbIyoFAlie56cQHG1heHlAZGVi
aWFuLm9yZwAKCRDHGXaZspsjKr5pD/9doResH+xEc/30aUDJYcGhy5V76+Dh9+z8
2zYxpSZDTkSCI4RkupKTWoywWjOQ5dwYA+blzvwrwvFpxvHZmdcRvh0+KsjCtW4F
spg4x3bXQ4V8vYiXnVzF5CJW34e8NU+CBN6oGA1VwL1TV7er1vlSIPFcCiJ31Oi9
bRtIVWlDrWitpoVnKP4cWM9F0y1zViueSiw8fbH4yf99K8sJWyBiC93mAew2neYJ
APXN/dDhsCeGXdrArJ8IbMvnFviNdCtmBWKkaqkGDyUjKG7ksDSgAY963un46DFo
chtV8j9iic0+dtM4ZDyg/HrjqvpnXy52yjQPJDS6bdTg16uPGRCkj/vkwV5DzmyY
HGJh4geKI4xeqwJJQzL+/8PEixUd5IoegkEtMPFGOA7sqlXC0l4iebt/uFJlSzUK
KbhNp8hBJ713I0EYDluOesJRgMw0cWJgSDQ9mByDJ69l0oqJS8dmrtKXdv8Rdr33
Z6iu99gQY6IV1M0zE3cP1MiKECyWw/TPq4ZYX5bboqLcXQHwvH8JEIvo7nc5dHR3
8HfLOUx6fzSBxt6kvt+BVsjL1fdX1wT5tzrXpXLL8HldxBFMjUR0wMW5nBsegYXV
iNnVgWYXFni+iC1qngc9734+9rtQyVZmsZHMIFLAGOLeLjx8u6fWb5W/BZJRvqlL
N3dwVGw9xw==
=mTkO
-----END PGP SIGNATURE-----

diff -Nru ark-16.08.3/debian/changelog ark-16.08.3/debian/changelog
--- ark-16.08.3/debian/changelog	2016-11-23 20:48:43.000000000 +0100
+++ ark-16.08.3/debian/changelog	2017-02-10 16:29:46.000000000 +0100
@@ -1,3 +1,10 @@
+ark (4:16.08.3-2) unstable; urgency=medium
+
+  * Add new patch: Stop-running-executables-when-opening-urls.patch (CVE-2017-5330)
+    Thanks to Salvatore Bonaccorso for reporting (Closes: 850874)
+
+ -- Maximiliano Curia <maxy@debian.org>  Fri, 10 Feb 2017 16:29:46 +0100
+
 ark (4:16.08.3-1) unstable; urgency=medium
 
   * New upstream release (16.08.3)
diff -Nru ark-16.08.3/debian/patches/series ark-16.08.3/debian/patches/series
--- ark-16.08.3/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ ark-16.08.3/debian/patches/series	2017-02-10 16:29:46.000000000 +0100
@@ -0,0 +1 @@
+Stop-running-executables-when-opening-urls.patch
diff -Nru ark-16.08.3/debian/patches/Stop-running-executables-when-opening-urls.patch ark-16.08.3/debian/patches/Stop-running-executables-when-opening-urls.patch
--- ark-16.08.3/debian/patches/Stop-running-executables-when-opening-urls.patch	1970-01-01 01:00:00.000000000 +0100
+++ ark-16.08.3/debian/patches/Stop-running-executables-when-opening-urls.patch	2017-02-10 16:29:46.000000000 +0100
@@ -0,0 +1,26 @@
+From: Elvis Angelaccio <elvis.angelaccio@kde.org>
+Date: Fri, 6 Jan 2017 15:35:46 +0100
+Subject: Stop running executables when opening urls
+
+This is a security risk because it's not clear when an entry in an
+archive is an executable.
+
+BUG: 374572
+FIXED-IN: 16.12.1
+---
+ part/part.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/part/part.cpp b/part/part.cpp
+index 0bb2bcb9..f71fc77b 100644
+--- a/part/part.cpp
++++ b/part/part.cpp
+@@ -945,7 +945,7 @@ void Part::slotOpenExtractedEntry(KJob *job)
+         } else {
+             KRun::runUrl(QUrl::fromUserInput(fullName, QString(), QUrl::AssumeLocalFile),
+                          QMimeDatabase().mimeTypeForFile(fullName).name(),
+-                         widget());
++                         widget(), false, false);
+         }
+     } else if (job->error() != KJob::KilledJobError) {
+         KMessageBox::error(widget(), job->errorString());

--- End Message ---
--- Begin Message --- 
Maximiliano Curia:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Dear release team,
> 
> the current version of ark for stretch is affected by CVE-2017-5330 as 
> reported in 850874, the bug is currently tagged as can-defer, but 
> since we have an upstream patch it seems to make sense to include it for 
> stretch.
> 
> I'm attaching the debdiff against the package in testing.
> 
> Happy hacking,
> 
> unblock ark/4:16.08.3-2
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: