On Tue, Feb 13, 2007 at 12:59:12PM -0800, Kees Cook wrote: > Package: amarock > Version: 1.4.4-2 > Severity: grave > Tags: patch, security > > CVE-2006-6980 says[1]: > > "The ruby handlers in Amarok do not properly quote text in certain > contexts, probably including construction of an unzip command line, > which allows attackers to execute arbitrary commands via shell > metacharacters." > > There is an open KDE bug report[2], and SuSE has patched this > problem. I'm working on extracting the patches now... > > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6979 > [2] http://bugs.kde.org/show_bug.cgi?id=138499 >
As Kees says in a previuos mail, this CVE is misleading and it is pointing to 2 security bugs. Upstream has fixed one of them: http://bugs.kde.org/show_bug.cgi?id=138499 And i'm still waiting for some input of the ruby scripts patches (attached in this mail). Ana > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
