Bug#635541: marked as done (ark: Directory traversal)

Sat, 03 Dec 2011 04:37:56 -0800 

Your message dated Sat, 03 Dec 2011 12:33:15 +0000
with message-id <e1rwomj-0006y9...@franck.debian.org>
and subject line Bug#635541: fixed in kdeutils 4:4.6.5-4
has caused the Debian Bug report #635541,
regarding ark: Directory traversal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
635541: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635541
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ark
Version: 4:4.6.5-2
Severity: grave
Tags: security

The following was reported on oss-security. There's no CVE assignment
or any details yet:

---
Date: Mon, 25 Jul 2011 14:45:14 -0400
From: Jeff Mitchell <mitch...@kde.org>
Subject: [oss-security] CVE Request: Ark path traversal

Hello,

Ark contains a path traversal vulnerability allowing a
maliciously-crafted zip file to allow for an arbitrary file to be
displayed and, if the user has appropriate credentials, removed.

Can we please get a CVE for this?

Thanks,
Jeff
---

Could you contact upstream for details?

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ark depends on:
ii  kdebase-runtime               4:4.6.5-1  runtime components from the offici
ii  libarchive1                   2.8.4-1    Single library to read/write tar, 
ii  libc6                         2.13-10    Embedded GNU C Library: Shared lib
ii  libkdecore5                   4:4.6.5-2  KDE Platform Core Library
ii  libkdeui5                     4:4.6.5-2  KDE Platform User Interface Librar
ii  libkfile4                     4:4.6.5-2  File Selection Dialog Library for 
ii  libkhtml5                     4:4.6.5-2  KHTML Web Content Rendering Engine
ii  libkio5                       4:4.6.5-2  Network-enabled File Management Li
ii  libkonq5abi1                  4:4.6.5-1  core libraries for Konqueror
ii  libkparts4                    4:4.6.5-2  Framework for the KDE Platform Gra
ii  libkpty4                      4:4.6.5-2  Pseudo Terminal Library for the KD
ii  libqt4-dbus                   4:4.7.3-5  Qt 4 D-Bus module
ii  libqtcore4                    4:4.7.3-5  Qt 4 core module
ii  libqtgui4                     4:4.7.3-5  Qt 4 GUI module
ii  libstdc++6                    4.6.1-4    GNU Standard C++ Library v3

Versions of packages ark recommends:
ii  bzip2                    1.0.5-6         high-quality block-sorting file co
ii  p7zip-full               9.20.1~dfsg.1-2 7z and 7za file archivers with hig
ii  unzip                    6.0-5           De-archiver for .zip files
ii  zip                      3.0-4           Archiver for .zip files

Versions of packages ark suggests:
pn  rar                           <none>     (no description available)
pn  unrar | unrar-free            <none>     (no description available)

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: kdeutils
Source-Version: 4:4.6.5-4

We believe that the bug you reported is fixed in the latest version of
kdeutils, which is due to be installed in the Debian FTP archive:

ark_4.6.5-4_amd64.deb
  to main/k/kdeutils/ark_4.6.5-4_amd64.deb
filelight_4.6.5-4_amd64.deb
  to main/k/kdeutils/filelight_4.6.5-4_amd64.deb
kcalc_4.6.5-4_amd64.deb
  to main/k/kdeutils/kcalc_4.6.5-4_amd64.deb
kcharselect_4.6.5-4_amd64.deb
  to main/k/kdeutils/kcharselect_4.6.5-4_amd64.deb
kdelirc_4.6.5-4_all.deb
  to main/k/kdeutils/kdelirc_4.6.5-4_all.deb
kdeutils-dbg_4.6.5-4_amd64.deb
  to main/k/kdeutils/kdeutils-dbg_4.6.5-4_amd64.deb
kdeutils_4.6.5-4.debian.tar.gz
  to main/k/kdeutils/kdeutils_4.6.5-4.debian.tar.gz
kdeutils_4.6.5-4.dsc
  to main/k/kdeutils/kdeutils_4.6.5-4.dsc
kdeutils_4.6.5-4_all.deb
  to main/k/kdeutils/kdeutils_4.6.5-4_all.deb
kdf_4.6.5-4_amd64.deb
  to main/k/kdeutils/kdf_4.6.5-4_amd64.deb
kfloppy_4.6.5-4_amd64.deb
  to main/k/kdeutils/kfloppy_4.6.5-4_amd64.deb
kgpg_4.6.5-4_amd64.deb
  to main/k/kdeutils/kgpg_4.6.5-4_amd64.deb
kremotecontrol_4.6.5-4_amd64.deb
  to main/k/kdeutils/kremotecontrol_4.6.5-4_amd64.deb
ktimer_4.6.5-4_amd64.deb
  to main/k/kdeutils/ktimer_4.6.5-4_amd64.deb
kwalletmanager_4.6.5-4_amd64.deb
  to main/k/kdeutils/kwalletmanager_4.6.5-4_amd64.deb
plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
  to main/k/kdeutils/plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
printer-applet_4.6.5-4_all.deb
  to main/k/kdeutils/printer-applet_4.6.5-4_all.deb
sweeper_4.6.5-4_amd64.deb
  to main/k/kdeutils/sweeper_4.6.5-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 635...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated 
kdeutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 03 Dec 2011 12:32:27 +0100
Source: kdeutils
Binary: kdeutils kdeutils-dbg ark kcalc kcharselect kremotecontrol kdelirc kdf 
kfloppy kgpg ktimer kwalletmanager plasma-scriptengine-superkaramba sweeper 
printer-applet filelight
Architecture: source all amd64
Version: 4:4.6.5-4
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description: 
 ark        - archive utility
 filelight  - show where your diskspace is being used
 kcalc      - simple and scientific calculator
 kcharselect - special character utility
 kdelirc    - transitional package for kremotecontrol
 kdeutils   - general-purpose utilities from the official KDE SC release
 kdeutils-dbg - debugging symbols for the KDE SC utilities module
 kdf        - disk information utility
 kfloppy    - floppy formatter
 kgpg       - graphical front end for GNU Privacy Guard
 kremotecontrol - frontend for using remote controls
 ktimer     - countdown timer
 kwalletmanager - secure password wallet manager
 plasma-scriptengine-superkaramba - SuperKaramba theme support for the Plasma 
Workspaces
 printer-applet - manages your printing jobs
 sweeper    - history and temporary file cleaner
Closes: 635541
Changes: 
 kdeutils (4:4.6.5-4) unstable; urgency=high
 .
   [ Pino Toscano ]
   * Backport the upstream r1259334 from the 4.6 branch to fix the Ark
     directory traversal, CVE-2011-2725. (Closes: #635541)
Checksums-Sha1: 
 c2910dcb68ab39426770f3897db5d6ae004947ce 2400 kdeutils_4.6.5-4.dsc
 d17049f409509d2f5f7470d962fa229f9ec45035 16542 kdeutils_4.6.5-4.debian.tar.gz
 b681b21a100c8a3ae2298ab0e53573c9703d8ac9 11082 kdeutils_4.6.5-4_all.deb
 60eed14a918f325a9cfa9c42762914a6d440fb1b 18525018 
kdeutils-dbg_4.6.5-4_amd64.deb
 6f02a36ed8d02cfa6bf11db7acdb674077bcad0e 391304 ark_4.6.5-4_amd64.deb
 d6d03a5ea5bdca86e75f4a6c32a71d42cf322461 154754 kcalc_4.6.5-4_amd64.deb
 8f1e8026611a3891c0f540d43e3669fa8ccd77ec 93878 kcharselect_4.6.5-4_amd64.deb
 98a7072e2d6ba386f6cede985b489d7f7a1656ad 1201688 
kremotecontrol_4.6.5-4_amd64.deb
 961a8c9be2e7b2c210d1250844b481f769506fd9 11026 kdelirc_4.6.5-4_all.deb
 142b64821a5a67dd74c50905ab90e156d7f0f291 315856 kdf_4.6.5-4_amd64.deb
 27d49028a159a9adfdf40f67c66b41deedc827c1 83448 kfloppy_4.6.5-4_amd64.deb
 44b238cd6ac6c56ec830f850a20515fe7953a8e3 1023690 kgpg_4.6.5-4_amd64.deb
 c8fa8dd2d0f17d644db8ff10916c09c6370f7814 204586 ktimer_4.6.5-4_amd64.deb
 f8c79f3c3b72b2e50e8605b08617eae7ce6ca98a 402826 
kwalletmanager_4.6.5-4_amd64.deb
 5bcd91846c7bfb9cc0e42b14e9c28a4ed432bc9a 365000 
plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
 2a8ddbeeacb70fe13b3211b3deaf9ce642ff555b 107444 sweeper_4.6.5-4_amd64.deb
 559164f7995e7130a69d4b82f3b7589e2b39bf43 43566 printer-applet_4.6.5-4_all.deb
 027215419b59ef1be41c49fd77019d828d80b456 342444 filelight_4.6.5-4_amd64.deb
Checksums-Sha256: 
 08cacdb17024a5aa7fe68f7a3c9c2c5d350dc4d6ee58e3bdacc85cbe9b82dffa 2400 
kdeutils_4.6.5-4.dsc
 59b3cf25fba2d6107ad0c38ddf21a273efde16f1abadfeef2dab47feaad7cafe 16542 
kdeutils_4.6.5-4.debian.tar.gz
 cc5c542b584262a1bc1fc5b178fcad9a8254a57b0e00ca39ae1c69dcc77071ba 11082 
kdeutils_4.6.5-4_all.deb
 749c243eade2d11e629e531b5d144172abc37a2f3af0ece36dab344d06ea220f 18525018 
kdeutils-dbg_4.6.5-4_amd64.deb
 cc25c48d655ff67965704f92dba8be06c4f865005eb9121a2e8c9eba17e5eb28 391304 
ark_4.6.5-4_amd64.deb
 e9e5db952d2427aa3feb9daf8251152a418891bc969a41d44cdb448ccd90487f 154754 
kcalc_4.6.5-4_amd64.deb
 07aa2785d8faa0817de0f3adc3249a61089d922d793dfc2f4a61ed5d752dc34b 93878 
kcharselect_4.6.5-4_amd64.deb
 c9008dc2d71bf05c886c13226ca6c71a0bd7c38ef0028f81860cd75b025abc50 1201688 
kremotecontrol_4.6.5-4_amd64.deb
 9d24d91cc23b894a7f3ca4dac09e0a1bb87d7956a2ae0043624be0d519e058f8 11026 
kdelirc_4.6.5-4_all.deb
 3c37e58a31f07e1ce259065e0da3fef0541694d5b34936e76df523aae3ea6cef 315856 
kdf_4.6.5-4_amd64.deb
 878b29fad5b720897d24f9ef0ff9a33ef32d9a1e6ed6116ba86d50a702b0ed05 83448 
kfloppy_4.6.5-4_amd64.deb
 d644410683e48d1589b18f24861954c0123df63f7d4418fee59ce0be382ba789 1023690 
kgpg_4.6.5-4_amd64.deb
 ba1ab9bb47905796bb18c5d492f7726fe94c3ccdbab932074edca2125e358453 204586 
ktimer_4.6.5-4_amd64.deb
 508e5a5008006463fba0c9ba73a4092195385884cc8f660ce18f8e663ee68500 402826 
kwalletmanager_4.6.5-4_amd64.deb
 e810411dc337a86436f044486015b2a5313729109f7b9422f41b4d7884f918b2 365000 
plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
 25cfa2b496efba641f766f75bf18188a2f0e36dd7511b5bc820ec43e9a25d325 107444 
sweeper_4.6.5-4_amd64.deb
 071b159b385ae511894e82803798307ab182692c170551b9b888c7212cc80138 43566 
printer-applet_4.6.5-4_all.deb
 445c294d1587743ba6238f8955df492e917e2a97856dbf0c63a3d51ebe53953e 342444 
filelight_4.6.5-4_amd64.deb
Files: 
 235d1021ba02e63fe149800568cf18b1 2400 kde optional kdeutils_4.6.5-4.dsc
 a1ae15cc6f7bd99feef386a82ae95652 16542 kde optional 
kdeutils_4.6.5-4.debian.tar.gz
 d00071b4343455d6ee1788453962a360 11082 kde optional kdeutils_4.6.5-4_all.deb
 446e73bda033d2fba5b7b33c82828333 18525018 debug extra 
kdeutils-dbg_4.6.5-4_amd64.deb
 4b5a28c0a52c3cb36584d840d2f81f5d 391304 utils optional ark_4.6.5-4_amd64.deb
 f62bd5ab26ea6a7728e8ab4a4a01e2c2 154754 math optional kcalc_4.6.5-4_amd64.deb
 297035f4167932712b41f5c23f8b8b90 93878 utils optional 
kcharselect_4.6.5-4_amd64.deb
 6804bef1bfff7d0ef17b18d7ab8dfbd2 1201688 utils optional 
kremotecontrol_4.6.5-4_amd64.deb
 997e27cda8a5e0b7fdfd4aa23d2869e2 11026 utils optional kdelirc_4.6.5-4_all.deb
 cf65926d2650f3965bf90c0dba2922b7 315856 utils optional kdf_4.6.5-4_amd64.deb
 3a3c267f3c149cdf8161aeefda39555d 83448 utils optional kfloppy_4.6.5-4_amd64.deb
 d1ec1e8e93855f8a16683a561fa78a6b 1023690 utils optional kgpg_4.6.5-4_amd64.deb
 510c37f1283296c61f13be239020e445 204586 utils optional ktimer_4.6.5-4_amd64.deb
 dc150bd0d13b989d573933dce64fb638 402826 utils optional 
kwalletmanager_4.6.5-4_amd64.deb
 ccc4221a059db4f581b63b3bfe58b40b 365000 kde optional 
plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
 be8874d46bf0841f0130db62a860fbbb 107444 utils optional 
sweeper_4.6.5-4_amd64.deb
 71369b7b93e048779094b3ea8d6facc4 43566 utils optional 
printer-applet_4.6.5-4_all.deb
 c64a28adf5758614ad1bd2cd512c2152 342444 kde optional 
filelight_4.6.5-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFO2hMKTNH2piB/L3oRAi2fAJsFnFQ41/kZmyw7AWZGeQtxaVqWJwCfdL/w
kPMJs1NiOEEvED5I7u2iZd4=
=kmHo
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to