Bug#839865: kde-cli-tools: CVE-2016-7787
Source: kde-cli-tools Version: 4:5.7.4-1 Severity: important Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for kde-cli-tools. CVE-2016-7787[0]: kdesu: Displayed command truncated by unicode string terminator If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-7787 [1] https://www.kde.org/info/security/advisory-20160930-1.txt Please adjust the affected versions in the BTS as needed. I'm not sure if kde-runtime is as well affected (it looks source wise, since the same file can be patched). Regards, Salvatore
Bug#839865: kde-cli-tools: CVE-2016-7787
On Wed, 05 Oct 2016 21:48:58 +0200 Salvatore Bonaccorso wrote: > Hi, > > the following vulnerability was published for kde-cli-tools. > > CVE-2016-7787[0]: > kdesu: Displayed command truncated by unicode string terminator > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-7787 > [1] https://www.kde.org/info/security/advisory-20160930-1.txt > > Please adjust the affected versions in the BTS as needed. I'm not sure > if kde-runtime is as well affected (it looks source wise, since the > same file can be patched). It seems both Jessie and Wheezy are affected in some way. Both show the command in the dialog, but on my vagrant VM installations the string terminator was not interpreted on Wheezy, just on Jessie. Test command: kdesudo ls $(printf 'aa\u9chidden') On Jessie it shows the following dialog: +--- | ls aa[]hidden needs administrative privileges. Please eneter your | password. | | Command ls aa | Password:| | OK Cancel +--- Thus the string terminator takes effect only once. On Wheezy the dialog looks like this: +--- | ls aa[?]hidden needs administrative privileges. Please eneter your | password. | | Command ls aa[?]hidden | Password:| | OK Cancel +--- [],[?] - block showing unknown unicode character Cheers, Balint
Processing of qtdeclarative-opensource-src_5.7.0-4_source.changes
qtdeclarative-opensource-src_5.7.0-4_source.changes uploaded successfully to localhost along with the files: qtdeclarative-opensource-src_5.7.0-4.dsc qtdeclarative-opensource-src_5.7.0-4.debian.tar.xz Greetings, Your Debian queue daemon (running on host franck.debian.org)
qtdeclarative-opensource-src_5.7.0-4_source.changes ACCEPTED into experimental
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 06 Oct 2016 08:27:43 +0300 Source: qtdeclarative-opensource-src Binary: libqt5qml5 libqt5quick5 libqt5quickparticles5 libqt5quicktest5 libqt5quickwidgets5 qml-module-qtquick-layouts qt5-qmltooling-plugins qml-module-qt-labs-folderlistmodel qml-module-qtquick-localstorage qml-module-qtqml-models2 qml-module-qtqml-statemachine qml-module-qtquick-particles2 qml-module-qtquick2 qml-module-qt-labs-settings qml-module-qttest qml-module-qtquick-window2 qml-module-qtquick-xmllistmodel qtdeclarative5-dev qtdeclarative5-private-dev qtdeclarative5-dev-tools qmlscene qml qtdeclarative5-examples qtdeclarative5-dbg qtdeclarative5-doc qtdeclarative5-doc-html Architecture: source Version: 5.7.0-4 Distribution: experimental Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Dmitry Shachnev Description: libqt5qml5 - Qt 5 QML module libqt5quick5 - Qt 5 Quick library libqt5quickparticles5 - Qt 5 Quick particles module libqt5quicktest5 - Qt 5 Quick Test library libqt5quickwidgets5 - Qt 5 Quick Widgets library qml- Qt 5 QML viewer qml-module-qt-labs-folderlistmodel - Qt 5 folderlistmodel QML module qml-module-qt-labs-settings - Qt 5 settings QML module qml-module-qtqml-models2 - Qt 5 Models2 QML module qml-module-qtqml-statemachine - Qt 5 State Machine QML module qml-module-qtquick-layouts - Qt 5 Quick Layouts QML module qml-module-qtquick-localstorage - Qt 5 localstorage QML module qml-module-qtquick-particles2 - Qt 5 particles 2 QML module qml-module-qtquick-window2 - Qt 5 window 2 QML module qml-module-qtquick-xmllistmodel - Qt 5 xmllistmodel QML module qml-module-qtquick2 - Qt 5 Qt Quick 2 QML module qml-module-qttest - Qt 5 test QML module qmlscene - Qt 5 QML scene viewer qt5-qmltooling-plugins - Qt 5 qmltooling plugins qtdeclarative5-dbg - Qt 5 declarative libraries debugging symbols qtdeclarative5-dev - Qt 5 declarative development files qtdeclarative5-dev-tools - Qt 5 declarative development programs qtdeclarative5-doc - Qt 5 declarative documentation qtdeclarative5-doc-html - Qt 5 declarative HTML documentation qtdeclarative5-examples - Qt 5 declarative examples qtdeclarative5-private-dev - Qt 5 declarative private development files Changes: qtdeclarative-opensource-src (5.7.0-4) experimental; urgency=medium . * Backport upstream patch to remove setTag() and setValue() methods, and leave only setTagValue() (no_value_without_tag.diff). Without this patch the current version of fix_engine_64bits_big_endian.diff did not make any sense. * Rebase fix_engine_64bits_big_endian.diff and fix-V4-on-big-endian.patch on top of the above patch. * Add a patch to make the qqmlapplicationengine test pass when JIT is not available (fix_tst_qqmlapplicationengine.diff, forwarded upstream). * Backport upstream patch to allow using 49 address bits in 64-bit mode (use_49_address_bits.diff). This should fix issues on arm64. * Update symbols files from amd64 build log. Checksums-Sha1: 60781a92b2cbb3ccd97a703819770fe6397730e1 4408 qtdeclarative-opensource-src_5.7.0-4.dsc 183a7633e9a1bc2ba05da54d23146a3f1ff2e4a7 87368 qtdeclarative-opensource-src_5.7.0-4.debian.tar.xz Checksums-Sha256: fe35d6e077bc0990a9207bd9e9cfe7b0a2212a379b0f6673eb9077b307e038bf 4408 qtdeclarative-opensource-src_5.7.0-4.dsc 20b1046b7771d4e1d17e58048d8b0b7b03f195ee3bc7b393cb892aa36e96afac 87368 qtdeclarative-opensource-src_5.7.0-4.debian.tar.xz Files: c038ae7b251e2ad788ca8172211bba9c 4408 libs optional qtdeclarative-opensource-src_5.7.0-4.dsc 455300152bbd05c6c748af7c232c3d3b 87368 libs optional qtdeclarative-opensource-src_5.7.0-4.debian.tar.xz -BEGIN PGP SIGNATURE- iQIwBAEBCAAaBQJX9eHHExxtaXR5YTU3QGRlYmlhbi5vcmcACgkQ1v5xA2P4XdOT 0A//Z5fpdUdJ7Ip42OyfGT14QJxQ1QictH7qDKtyRNrnd9fOQUBYWGeANv7a+96o hKwYjNfZddlSRsTojDhiIQG6UrsePvNRZDYhdGMer1jUKYZa7j8YIWHHpe/5R+S2 J9bF/lFm4OGvcHXjiqvEREAk6b7zBPStx/I9M4pGy2KahkewsJZUs9rKKmKxWl6t B9L4c3nJwQlq1rJO0vMW5rnGCupJeL7s+j78AnTPcjmm6G/T4Bb/W13JL+Ao6LUx QB0CnMYMu180CC9pewFzPP+uFP8Zjw7VewEVYkU9X5EMsEop7ovYMcFggAgOw/6X kLkQmj/SzN7oOYePqTNgwz3QLKLtPBOL9eY6NgikoCho9/I2JAXnsuJs8nbAHb4Y mfBpsLzTIFrXcyW96WVpCuo91KgmA459tdOtMICWsdenz+eE9OAQCXUADWGDFqST Hq19ADCvKYiNdAGLZfizKKBgm1+ymnciAf9beuf7w9lhky9hlx2ku+gdFy3gM9Rn 41LpRSSMoLP1mNuDNpBbVGT7MekjxZSuZMAEjuY/tpFwwhAY280ILnEHDoLv+h2R kD+ewgO0KhAgKj9EHjBv/e4GNFKztwRF6LgNGyWMpSCVnUZ/LnZML1i6OFrAOXQP n3fHCD7Fagri8HbkwJScaT1s6eSxcFwzkG0jdWfFD9j5gBM= =3gwe -END PGP SIGNATURE- Thank you for your contribution to Debian.
