Accepted:
OK: kvirc_3.2.0.orig.tar.gz
OK: kvirc_3.2.0-5ubuntu1.1.diff.gz
OK: kvirc_3.2.0-5ubuntu1.1.dsc
-> Component: universe Section: net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 02 Jul 2007 13:14:30 -0500
Source: kvirc
Binary: kvirc-dev kvirc-data kvirc
Architecture: source
Version: 2:3.2.0-5ubuntu1.1
Distribution: dapper-security
Urgency: low
Maintainer: Robin Verduijn <[EMAIL PROTECTED]>
Changed-By: Richard A. Johnson <[EMAIL PROTECTED]>
Description:
kvirc - KDE based next generation IRC client with module support
kvirc-data - Data files for KVIrc
kvirc-dev - Development files for KVIrc
Changes:
kvirc (2:3.2.0-5ubuntu1.1) dapper-security; urgency=low
.
* SECURITY UPDATE: parseIrcUrl() do not properly sanitize parts of the URI
when building the command for KVIrc's internet script system. This can
be exploited to inject and execute commands for the KVIrc script system
(including the "run" command, which can be leveraged to execute shell
commands) by e.g. tricking a user into opening a specially crafted
"irc://" or similar URI.
* Add debian/patches/09_parseIrcUrl_security_fix.patch: propery sanitizes
URI strings, as done in upstream SVN. (Fixes LP: #123037)
* References:
- http://www.kvirc.net/?id=news&story=2007.06.29.22.00.1.story&dir=latest
- http://secunia.com/secunia_research/2007-56/advisory/
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2951
- https://svn.kvirc.de/kvirc/changeset/630/#file3 (fix to kvi_ircurl.cpp)
Files:
4299010085649c80dedcb0e17c748c40 672 net optional kvirc_3.2.0-5ubuntu1.1.dsc
11329dcbfc0128808671579634090b68 50003 net optional
kvirc_3.2.0-5ubuntu1.1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGir3QH/9LqRcGPm0RAr/pAJ951lCQNho9cAhoJGChu5ans+m4aACeIxet
U/Z4m1aI/TOoFc6EE3/ggXo=
=qsM2
-----END PGP SIGNATURE-----
--
dapper-changes mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/dapper-changes
