Debian Bug report logs - #635541
ark: Directory traversal

version graph

Package: ark; Maintainer for ark is Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>; Source for ark is src:ark.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 26 Jul 2011 20:21:01 UTC

Severity: grave

Tags: security, squeeze

Found in version kdeutils/4:4.6.5-2

Fixed in versions kdeutils/4:4.6.5-4, kdeutils/4:4.4.5-1+squeeze1

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#635541; Package ark. (Tue, 26 Jul 2011 20:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Tue, 26 Jul 2011 20:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ark: Directory traversal
Date: Tue, 26 Jul 2011 22:20:46 +0200
Package: ark
Version: 4:4.6.5-2
Severity: grave
Tags: security

The following was reported on oss-security. There's no CVE assignment
or any details yet:

---
Date: Mon, 25 Jul 2011 14:45:14 -0400
From: Jeff Mitchell <mitchell@kde.org>
Subject: [oss-security] CVE Request: Ark path traversal

Hello,

Ark contains a path traversal vulnerability allowing a
maliciously-crafted zip file to allow for an arbitrary file to be
displayed and, if the user has appropriate credentials, removed.

Can we please get a CVE for this?

Thanks,
Jeff
---

Could you contact upstream for details?

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ark depends on:
ii  kdebase-runtime               4:4.6.5-1  runtime components from the offici
ii  libarchive1                   2.8.4-1    Single library to read/write tar, 
ii  libc6                         2.13-10    Embedded GNU C Library: Shared lib
ii  libkdecore5                   4:4.6.5-2  KDE Platform Core Library
ii  libkdeui5                     4:4.6.5-2  KDE Platform User Interface Librar
ii  libkfile4                     4:4.6.5-2  File Selection Dialog Library for 
ii  libkhtml5                     4:4.6.5-2  KHTML Web Content Rendering Engine
ii  libkio5                       4:4.6.5-2  Network-enabled File Management Li
ii  libkonq5abi1                  4:4.6.5-1  core libraries for Konqueror
ii  libkparts4                    4:4.6.5-2  Framework for the KDE Platform Gra
ii  libkpty4                      4:4.6.5-2  Pseudo Terminal Library for the KD
ii  libqt4-dbus                   4:4.7.3-5  Qt 4 D-Bus module
ii  libqtcore4                    4:4.7.3-5  Qt 4 core module
ii  libqtgui4                     4:4.7.3-5  Qt 4 GUI module
ii  libstdc++6                    4.6.1-4    GNU Standard C++ Library v3

Versions of packages ark recommends:
ii  bzip2                    1.0.5-6         high-quality block-sorting file co
ii  p7zip-full               9.20.1~dfsg.1-2 7z and 7za file archivers with hig
ii  unzip                    6.0-5           De-archiver for .zip files
ii  zip                      3.0-4           Archiver for .zip files

Versions of packages ark suggests:
pn  rar                           <none>     (no description available)
pn  unrar | unrar-free            <none>     (no description available)

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#635541; Package ark. (Tue, 18 Oct 2011 17:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marcos Marado <mindboosternoori@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Tue, 18 Oct 2011 17:42:03 GMT) Full text and rfc822 format available.

Message #10 received at 635541@bugs.debian.org (full text, mbox):

From: Marcos Marado <mindboosternoori@gmail.com>
To: 635541@bugs.debian.org
Subject: Re: ark: Directory traversal
Date: Tue, 18 Oct 2011 18:39:19 +0100
FYI, upstream has a fix:

http://quickgit.kde.org/?p=ark.git&a=commitdiff&h=6f6c0b18b3569ae2b5b6f65dc7ea626a8b7c03c0

-- 
Marcos Marado




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#635541; Package ark. (Tue, 29 Nov 2011 17:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Tue, 29 Nov 2011 17:06:03 GMT) Full text and rfc822 format available.

Message #15 received at 635541@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 635541@bugs.debian.org
Subject: Re: ark: Directory traversal
Date: Tue, 29 Nov 2011 18:02:11 +0100
On Tue, Jul 26, 2011 at 10:20:46PM +0200, Moritz Muehlenhoff wrote:
> Package: ark
> Version: 4:4.6.5-2
> Severity: grave
> Tags: security
> 
> The following was reported on oss-security. There's no CVE assignment
> or any details yet:
> 
> ---
> Date: Mon, 25 Jul 2011 14:45:14 -0400
> From: Jeff Mitchell <mitchell@kde.org>
> Subject: [oss-security] CVE Request: Ark path traversal
> 
> Hello,
> 
> Ark contains a path traversal vulnerability allowing a
> maliciously-crafted zip file to allow for an arbitrary file to be
> displayed and, if the user has appropriate credentials, removed.
> 
> Can we please get a CVE for this?
> 
> Thanks,
> Jeff
> ---
> 
> Could you contact upstream for details?

KDE maintainers, what's the status?

This has been assigned CVE-2011-2725. Red Hat has collected the
information nicely: https://bugzilla.redhat.com/show_bug.cgi?id=725764

Cheers,
        Moritz




Reply sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
You have taken responsibility. (Sat, 03 Dec 2011 12:37:01 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sat, 03 Dec 2011 12:37:39 GMT) Full text and rfc822 format available.

Message #20 received at 635541-close@bugs.debian.org (full text, mbox):

From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: 635541-close@bugs.debian.org
Subject: Bug#635541: fixed in kdeutils 4:4.6.5-4
Date: Sat, 03 Dec 2011 12:33:15 +0000
Source: kdeutils
Source-Version: 4:4.6.5-4

We believe that the bug you reported is fixed in the latest version of
kdeutils, which is due to be installed in the Debian FTP archive:

ark_4.6.5-4_amd64.deb
  to main/k/kdeutils/ark_4.6.5-4_amd64.deb
filelight_4.6.5-4_amd64.deb
  to main/k/kdeutils/filelight_4.6.5-4_amd64.deb
kcalc_4.6.5-4_amd64.deb
  to main/k/kdeutils/kcalc_4.6.5-4_amd64.deb
kcharselect_4.6.5-4_amd64.deb
  to main/k/kdeutils/kcharselect_4.6.5-4_amd64.deb
kdelirc_4.6.5-4_all.deb
  to main/k/kdeutils/kdelirc_4.6.5-4_all.deb
kdeutils-dbg_4.6.5-4_amd64.deb
  to main/k/kdeutils/kdeutils-dbg_4.6.5-4_amd64.deb
kdeutils_4.6.5-4.debian.tar.gz
  to main/k/kdeutils/kdeutils_4.6.5-4.debian.tar.gz
kdeutils_4.6.5-4.dsc
  to main/k/kdeutils/kdeutils_4.6.5-4.dsc
kdeutils_4.6.5-4_all.deb
  to main/k/kdeutils/kdeutils_4.6.5-4_all.deb
kdf_4.6.5-4_amd64.deb
  to main/k/kdeutils/kdf_4.6.5-4_amd64.deb
kfloppy_4.6.5-4_amd64.deb
  to main/k/kdeutils/kfloppy_4.6.5-4_amd64.deb
kgpg_4.6.5-4_amd64.deb
  to main/k/kdeutils/kgpg_4.6.5-4_amd64.deb
kremotecontrol_4.6.5-4_amd64.deb
  to main/k/kdeutils/kremotecontrol_4.6.5-4_amd64.deb
ktimer_4.6.5-4_amd64.deb
  to main/k/kdeutils/ktimer_4.6.5-4_amd64.deb
kwalletmanager_4.6.5-4_amd64.deb
  to main/k/kdeutils/kwalletmanager_4.6.5-4_amd64.deb
plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
  to main/k/kdeutils/plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
printer-applet_4.6.5-4_all.deb
  to main/k/kdeutils/printer-applet_4.6.5-4_all.deb
sweeper_4.6.5-4_amd64.deb
  to main/k/kdeutils/sweeper_4.6.5-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 635541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdeutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 03 Dec 2011 12:32:27 +0100
Source: kdeutils
Binary: kdeutils kdeutils-dbg ark kcalc kcharselect kremotecontrol kdelirc kdf kfloppy kgpg ktimer kwalletmanager plasma-scriptengine-superkaramba sweeper printer-applet filelight
Architecture: source all amd64
Version: 4:4.6.5-4
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description: 
 ark        - archive utility
 filelight  - show where your diskspace is being used
 kcalc      - simple and scientific calculator
 kcharselect - special character utility
 kdelirc    - transitional package for kremotecontrol
 kdeutils   - general-purpose utilities from the official KDE SC release
 kdeutils-dbg - debugging symbols for the KDE SC utilities module
 kdf        - disk information utility
 kfloppy    - floppy formatter
 kgpg       - graphical front end for GNU Privacy Guard
 kremotecontrol - frontend for using remote controls
 ktimer     - countdown timer
 kwalletmanager - secure password wallet manager
 plasma-scriptengine-superkaramba - SuperKaramba theme support for the Plasma Workspaces
 printer-applet - manages your printing jobs
 sweeper    - history and temporary file cleaner
Closes: 635541
Changes: 
 kdeutils (4:4.6.5-4) unstable; urgency=high
 .
   [ Pino Toscano ]
   * Backport the upstream r1259334 from the 4.6 branch to fix the Ark
     directory traversal, CVE-2011-2725. (Closes: #635541)
Checksums-Sha1: 
 c2910dcb68ab39426770f3897db5d6ae004947ce 2400 kdeutils_4.6.5-4.dsc
 d17049f409509d2f5f7470d962fa229f9ec45035 16542 kdeutils_4.6.5-4.debian.tar.gz
 b681b21a100c8a3ae2298ab0e53573c9703d8ac9 11082 kdeutils_4.6.5-4_all.deb
 60eed14a918f325a9cfa9c42762914a6d440fb1b 18525018 kdeutils-dbg_4.6.5-4_amd64.deb
 6f02a36ed8d02cfa6bf11db7acdb674077bcad0e 391304 ark_4.6.5-4_amd64.deb
 d6d03a5ea5bdca86e75f4a6c32a71d42cf322461 154754 kcalc_4.6.5-4_amd64.deb
 8f1e8026611a3891c0f540d43e3669fa8ccd77ec 93878 kcharselect_4.6.5-4_amd64.deb
 98a7072e2d6ba386f6cede985b489d7f7a1656ad 1201688 kremotecontrol_4.6.5-4_amd64.deb
 961a8c9be2e7b2c210d1250844b481f769506fd9 11026 kdelirc_4.6.5-4_all.deb
 142b64821a5a67dd74c50905ab90e156d7f0f291 315856 kdf_4.6.5-4_amd64.deb
 27d49028a159a9adfdf40f67c66b41deedc827c1 83448 kfloppy_4.6.5-4_amd64.deb
 44b238cd6ac6c56ec830f850a20515fe7953a8e3 1023690 kgpg_4.6.5-4_amd64.deb
 c8fa8dd2d0f17d644db8ff10916c09c6370f7814 204586 ktimer_4.6.5-4_amd64.deb
 f8c79f3c3b72b2e50e8605b08617eae7ce6ca98a 402826 kwalletmanager_4.6.5-4_amd64.deb
 5bcd91846c7bfb9cc0e42b14e9c28a4ed432bc9a 365000 plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
 2a8ddbeeacb70fe13b3211b3deaf9ce642ff555b 107444 sweeper_4.6.5-4_amd64.deb
 559164f7995e7130a69d4b82f3b7589e2b39bf43 43566 printer-applet_4.6.5-4_all.deb
 027215419b59ef1be41c49fd77019d828d80b456 342444 filelight_4.6.5-4_amd64.deb
Checksums-Sha256: 
 08cacdb17024a5aa7fe68f7a3c9c2c5d350dc4d6ee58e3bdacc85cbe9b82dffa 2400 kdeutils_4.6.5-4.dsc
 59b3cf25fba2d6107ad0c38ddf21a273efde16f1abadfeef2dab47feaad7cafe 16542 kdeutils_4.6.5-4.debian.tar.gz
 cc5c542b584262a1bc1fc5b178fcad9a8254a57b0e00ca39ae1c69dcc77071ba 11082 kdeutils_4.6.5-4_all.deb
 749c243eade2d11e629e531b5d144172abc37a2f3af0ece36dab344d06ea220f 18525018 kdeutils-dbg_4.6.5-4_amd64.deb
 cc25c48d655ff67965704f92dba8be06c4f865005eb9121a2e8c9eba17e5eb28 391304 ark_4.6.5-4_amd64.deb
 e9e5db952d2427aa3feb9daf8251152a418891bc969a41d44cdb448ccd90487f 154754 kcalc_4.6.5-4_amd64.deb
 07aa2785d8faa0817de0f3adc3249a61089d922d793dfc2f4a61ed5d752dc34b 93878 kcharselect_4.6.5-4_amd64.deb
 c9008dc2d71bf05c886c13226ca6c71a0bd7c38ef0028f81860cd75b025abc50 1201688 kremotecontrol_4.6.5-4_amd64.deb
 9d24d91cc23b894a7f3ca4dac09e0a1bb87d7956a2ae0043624be0d519e058f8 11026 kdelirc_4.6.5-4_all.deb
 3c37e58a31f07e1ce259065e0da3fef0541694d5b34936e76df523aae3ea6cef 315856 kdf_4.6.5-4_amd64.deb
 878b29fad5b720897d24f9ef0ff9a33ef32d9a1e6ed6116ba86d50a702b0ed05 83448 kfloppy_4.6.5-4_amd64.deb
 d644410683e48d1589b18f24861954c0123df63f7d4418fee59ce0be382ba789 1023690 kgpg_4.6.5-4_amd64.deb
 ba1ab9bb47905796bb18c5d492f7726fe94c3ccdbab932074edca2125e358453 204586 ktimer_4.6.5-4_amd64.deb
 508e5a5008006463fba0c9ba73a4092195385884cc8f660ce18f8e663ee68500 402826 kwalletmanager_4.6.5-4_amd64.deb
 e810411dc337a86436f044486015b2a5313729109f7b9422f41b4d7884f918b2 365000 plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
 25cfa2b496efba641f766f75bf18188a2f0e36dd7511b5bc820ec43e9a25d325 107444 sweeper_4.6.5-4_amd64.deb
 071b159b385ae511894e82803798307ab182692c170551b9b888c7212cc80138 43566 printer-applet_4.6.5-4_all.deb
 445c294d1587743ba6238f8955df492e917e2a97856dbf0c63a3d51ebe53953e 342444 filelight_4.6.5-4_amd64.deb
Files: 
 235d1021ba02e63fe149800568cf18b1 2400 kde optional kdeutils_4.6.5-4.dsc
 a1ae15cc6f7bd99feef386a82ae95652 16542 kde optional kdeutils_4.6.5-4.debian.tar.gz
 d00071b4343455d6ee1788453962a360 11082 kde optional kdeutils_4.6.5-4_all.deb
 446e73bda033d2fba5b7b33c82828333 18525018 debug extra kdeutils-dbg_4.6.5-4_amd64.deb
 4b5a28c0a52c3cb36584d840d2f81f5d 391304 utils optional ark_4.6.5-4_amd64.deb
 f62bd5ab26ea6a7728e8ab4a4a01e2c2 154754 math optional kcalc_4.6.5-4_amd64.deb
 297035f4167932712b41f5c23f8b8b90 93878 utils optional kcharselect_4.6.5-4_amd64.deb
 6804bef1bfff7d0ef17b18d7ab8dfbd2 1201688 utils optional kremotecontrol_4.6.5-4_amd64.deb
 997e27cda8a5e0b7fdfd4aa23d2869e2 11026 utils optional kdelirc_4.6.5-4_all.deb
 cf65926d2650f3965bf90c0dba2922b7 315856 utils optional kdf_4.6.5-4_amd64.deb
 3a3c267f3c149cdf8161aeefda39555d 83448 utils optional kfloppy_4.6.5-4_amd64.deb
 d1ec1e8e93855f8a16683a561fa78a6b 1023690 utils optional kgpg_4.6.5-4_amd64.deb
 510c37f1283296c61f13be239020e445 204586 utils optional ktimer_4.6.5-4_amd64.deb
 dc150bd0d13b989d573933dce64fb638 402826 utils optional kwalletmanager_4.6.5-4_amd64.deb
 ccc4221a059db4f581b63b3bfe58b40b 365000 kde optional plasma-scriptengine-superkaramba_4.6.5-4_amd64.deb
 be8874d46bf0841f0130db62a860fbbb 107444 utils optional sweeper_4.6.5-4_amd64.deb
 71369b7b93e048779094b3ea8d6facc4 43566 utils optional printer-applet_4.6.5-4_all.deb
 c64a28adf5758614ad1bd2cd512c2152 342444 kde optional filelight_4.6.5-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFO2hMKTNH2piB/L3oRAi2fAJsFnFQ41/kZmyw7AWZGeQtxaVqWJwCfdL/w
kPMJs1NiOEEvED5I7u2iZd4=
=kmHo
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#635541; Package ark. (Wed, 21 Dec 2011 18:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Wed, 21 Dec 2011 18:03:05 GMT) Full text and rfc822 format available.

Message #25 received at 635541@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 635541@bugs.debian.org
Subject: ark: Directory traversal
Date: Wed, 21 Dec 2011 18:01:08 +0000 (GMT)
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.4) 	- use target "stable"
lenny (5.0.10) 	- use target "oldstable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Added tag(s) squeeze. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Wed, 21 Dec 2011 18:03:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#635541; Package ark. (Tue, 03 Jan 2012 19:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Tue, 03 Jan 2012 19:57:05 GMT) Full text and rfc822 format available.

Message #32 received at 635541@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Jonathan Wiltshire <jmw@debian.org>
Cc: 635541@bugs.debian.org
Subject: Re: ark: Directory traversal
Date: Tue, 3 Jan 2012 20:54:06 +0100
[Message part 1 (text/plain, inline)]
On Wed, Dec 21, 2011 at 06:01:08PM +0000, Jonathan Wiltshire wrote:
> Dear maintainer,
> 
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
> 
> squeeze (6.0.4) 	- use target "stable"
> lenny (5.0.10) 	- use target "oldstable"
> 
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
> 
> I will happily assist you at any stage if the patch is straightforward and
> you need help. Please keep me in CC at all times so I can
> track the progress of this request.
> 
> For details of this process and the rationale, please see the original
> announcement [1] and my blog post [2].

Dear KDE maintainers,
patch for Squeeze is attached.

Cheers,
        Moritz
[CVE-2011-2725.patch (text/x-diff, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 01 Feb 2012 07:36:19 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Sun, 18 Mar 2012 21:39:06 GMT) Full text and rfc822 format available.

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Mon, 26 Mar 2012 18:33:16 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 26 Mar 2012 18:33:17 GMT) Full text and rfc822 format available.

Message #41 received at 635541-close@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 635541-close@bugs.debian.org
Subject: Bug#635541: fixed in kdeutils 4:4.4.5-1+squeeze1
Date: Mon, 26 Mar 2012 18:32:48 +0000
Source: kdeutils
Source-Version: 4:4.4.5-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
kdeutils, which is due to be installed in the Debian FTP archive:

ark_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/ark_4.4.5-1+squeeze1_amd64.deb
kcalc_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kcalc_4.4.5-1+squeeze1_amd64.deb
kcharselect_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kcharselect_4.4.5-1+squeeze1_amd64.deb
kdelirc_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kdelirc_4.4.5-1+squeeze1_amd64.deb
kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
kdeutils_4.4.5-1+squeeze1.debian.tar.gz
  to main/k/kdeutils/kdeutils_4.4.5-1+squeeze1.debian.tar.gz
kdeutils_4.4.5-1+squeeze1.dsc
  to main/k/kdeutils/kdeutils_4.4.5-1+squeeze1.dsc
kdeutils_4.4.5-1+squeeze1_all.deb
  to main/k/kdeutils/kdeutils_4.4.5-1+squeeze1_all.deb
kdf_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kdf_4.4.5-1+squeeze1_amd64.deb
kfloppy_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kfloppy_4.4.5-1+squeeze1_amd64.deb
kgpg_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kgpg_4.4.5-1+squeeze1_amd64.deb
ktimer_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/ktimer_4.4.5-1+squeeze1_amd64.deb
kwalletmanager_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/kwalletmanager_4.4.5-1+squeeze1_amd64.deb
okteta_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/okteta_4.4.5-1+squeeze1_amd64.deb
plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
printer-applet_4.4.5-1+squeeze1_all.deb
  to main/k/kdeutils/printer-applet_4.4.5-1+squeeze1_all.deb
sweeper_4.4.5-1+squeeze1_amd64.deb
  to main/k/kdeutils/sweeper_4.4.5-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 635541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated kdeutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Mar 2012 21:36:25 +0000
Source: kdeutils
Binary: kdeutils kdeutils-dbg ark kcalc kcharselect kdelirc kdf kfloppy kgpg ktimer kwalletmanager okteta plasma-scriptengine-superkaramba sweeper printer-applet
Architecture: source all amd64
Version: 4:4.4.5-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 ark        - archive utility
 kcalc      - simple and scientific calculator
 kcharselect - special character utility
 kdelirc    - infrared remote control
 kdeutils   - general-purpose utilities from the official KDE release
 kdeutils-dbg - debugging symbols for the KDE utilities module
 kdf        - disk information utility
 kfloppy    - floppy formatter
 kgpg       - graphical front end for GNU Privacy Guard
 ktimer     - countdown timer
 kwalletmanager - secure password wallet manager
 okteta     - hexadecimal editor for binary files
 plasma-scriptengine-superkaramba - SuperKaramba theme support for the Plasma Workspaces
 printer-applet - manages your printing jobs
 sweeper    - history and temporary file cleaner
Closes: 635541
Changes: 
 kdeutils (4:4.4.5-1+squeeze1) stable; urgency=low
 .
   * Non-maintainer upload.
   * CVE-2011-2725: Backport patch for upstream directory traversal in Ark
     Closes: #635541 (thanks to Moritz Muehlenhoff)
Checksums-Sha1: 
 b9867cee36940b605aee94ccfb77dab8f1a733d7 2530 kdeutils_4.4.5-1+squeeze1.dsc
 c9c00d94e94881d3e798f1aa5653e913a5e3d3ca 15476 kdeutils_4.4.5-1+squeeze1.debian.tar.gz
 b6c93722a11fd1b2bb60f2a750d7efaa80179e0a 11472 kdeutils_4.4.5-1+squeeze1_all.deb
 8855c508767206cc3dad023bb60222703290ea75 40544 printer-applet_4.4.5-1+squeeze1_all.deb
 09e48c85dcef8ca4c239d10a38a78c1a82e5d6fc 25181280 kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
 d08ded18da69ae5256d2e311283e2f903eea2f6e 302482 ark_4.4.5-1+squeeze1_amd64.deb
 10af2d3033d49e971a6deaafbd6fc84423fb8171 159910 kcalc_4.4.5-1+squeeze1_amd64.deb
 231a1d27326bc47526e182ff0a6ee69317209b15 33366 kcharselect_4.4.5-1+squeeze1_amd64.deb
 8478ebe91caaace306132c022ad0357fda9cad0b 278814 kdelirc_4.4.5-1+squeeze1_amd64.deb
 e5c8636527ff2345116ca07c6a63322c57809ecf 333258 kdf_4.4.5-1+squeeze1_amd64.deb
 ae7ef0b203a2f5f2c644cebdfab8eb7e2c310e93 88114 kfloppy_4.4.5-1+squeeze1_amd64.deb
 9a2822171e80dd9265327d73fd7c195216b795f6 1041572 kgpg_4.4.5-1+squeeze1_amd64.deb
 f1edda1d911360e4c00d7f642ebac7fddf24a0bf 136768 ktimer_4.4.5-1+squeeze1_amd64.deb
 ce4f4fcc4dba005b4a07691a728edca6a6020d33 453182 kwalletmanager_4.4.5-1+squeeze1_amd64.deb
 a0f07cd44909b5cb1a9cf3c156db6d19e244021c 710416 okteta_4.4.5-1+squeeze1_amd64.deb
 47860a5e57d6ed4adc0d6e4dfc441edbd6be57b0 351586 plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
 de983933e9527beef50f83d13c2c30014408b6c6 40426 sweeper_4.4.5-1+squeeze1_amd64.deb
Checksums-Sha256: 
 ab3dfe18c77f0a3eaf1d8464b563b13a9c02733c775280954d8ac340b8e67037 2530 kdeutils_4.4.5-1+squeeze1.dsc
 6636a751320dc83df363c103809789cca4f5a5c019ed04ead0f2cdb922800da1 15476 kdeutils_4.4.5-1+squeeze1.debian.tar.gz
 06ce51201f001cd96016102d88af0ac89dc63bfdbc921666af9d4e4e33c3eb70 11472 kdeutils_4.4.5-1+squeeze1_all.deb
 a1b54f5fd2263a865934d36b1883d676b90d3ec7bf1cd11766c554bdea2a5668 40544 printer-applet_4.4.5-1+squeeze1_all.deb
 2f5f125608978e8837a8a92acd66146eaecc9f9db3c1d316e59421ff5b7922ad 25181280 kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
 2d1333f41bbc70085145cb4f2bdae9d05158eb2e763540fe374d25a27e73d80d 302482 ark_4.4.5-1+squeeze1_amd64.deb
 1776b151666f0382f405b35dee11855e491a9f8fa1ed5fb5b58cf45072dc93ec 159910 kcalc_4.4.5-1+squeeze1_amd64.deb
 bf23375ba3088059067a68051a9b7e2911a27db989748284cd7ba3d7cfe2ee27 33366 kcharselect_4.4.5-1+squeeze1_amd64.deb
 858586810be3dfdd335c93fa9226260b81944aaa12d9a03b0ebacad01345c67b 278814 kdelirc_4.4.5-1+squeeze1_amd64.deb
 57f0beafed0f77b5fc58954b7152e1e87613e1cbae39e6d2f58228ba7e3a209d 333258 kdf_4.4.5-1+squeeze1_amd64.deb
 2676d04fb69b6bcd1d5d62f0a3f45629996a4688641833b02ac7081f9e80f8a5 88114 kfloppy_4.4.5-1+squeeze1_amd64.deb
 37e4cf33b9617e824883c7e524f19a5e75f424237b769b764db731b1e865322e 1041572 kgpg_4.4.5-1+squeeze1_amd64.deb
 1e96449e6c90ce81a9f4b499b6c762d740b85e6213e1dbb3c1e47fdfc4b427d9 136768 ktimer_4.4.5-1+squeeze1_amd64.deb
 867159997f4989ffddd927a79e7d66d649a39ae0307269bed5f19efd8944a945 453182 kwalletmanager_4.4.5-1+squeeze1_amd64.deb
 49e90d4da5fab1e0f829586164819c2228d4dddcd6028fbdf0ac09f5a3493397 710416 okteta_4.4.5-1+squeeze1_amd64.deb
 3a79b082835ef1dd6cd5e4c65813337eb72c45d78663b71267a640f30051d4b9 351586 plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
 33b0035458495c6fdfd62cfba1b854b8aa4cef327a29eb5ba2a922909cd8ec32 40426 sweeper_4.4.5-1+squeeze1_amd64.deb
Files: 
 dcb1e2b0fb332e1fa798250ed05c655d 2530 kde optional kdeutils_4.4.5-1+squeeze1.dsc
 0230b278c11ef79daeeb47a53f174ea2 15476 kde optional kdeutils_4.4.5-1+squeeze1.debian.tar.gz
 e18fe94cb88a069e3038a1c28377efa3 11472 kde optional kdeutils_4.4.5-1+squeeze1_all.deb
 b7a19d71abc3a82b2f4d5db7a64c2e11 40544 utils optional printer-applet_4.4.5-1+squeeze1_all.deb
 2baa665e238c6c128cbc0a5236de408c 25181280 debug extra kdeutils-dbg_4.4.5-1+squeeze1_amd64.deb
 3c8f6b125b5890244f2a64c9c1b68d8b 302482 utils optional ark_4.4.5-1+squeeze1_amd64.deb
 b599ddbb3c2d66d4c1c418fa949abc25 159910 math optional kcalc_4.4.5-1+squeeze1_amd64.deb
 d535850c6f07f387a4aef54aa5b60c71 33366 utils optional kcharselect_4.4.5-1+squeeze1_amd64.deb
 a0602f883e04421aa1389fc66ab876e6 278814 utils optional kdelirc_4.4.5-1+squeeze1_amd64.deb
 46b6467cba28d401bc222cf98c7ff17e 333258 utils optional kdf_4.4.5-1+squeeze1_amd64.deb
 4588afa275f8fe56d40e541ffe23d761 88114 utils optional kfloppy_4.4.5-1+squeeze1_amd64.deb
 188623084863585dca463680f22bd9fe 1041572 utils optional kgpg_4.4.5-1+squeeze1_amd64.deb
 685449880af70ed586c34ab2d629f518 136768 utils optional ktimer_4.4.5-1+squeeze1_amd64.deb
 04c45a54d8176af3a04bea62213ba80e 453182 utils optional kwalletmanager_4.4.5-1+squeeze1_amd64.deb
 a162b9083d9f3fb8f6823e9742fd0478 710416 kde optional okteta_4.4.5-1+squeeze1_amd64.deb
 8b483ea4ed3c0e3db48b9af58e2590e0 351586 kde optional plasma-scriptengine-superkaramba_4.4.5-1+squeeze1_amd64.deb
 25dc1e1080a385a5e695df6cda7717b3 40426 utils optional sweeper_4.4.5-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJPadWMAAoJEFOUR53TUkxR6MMQAJXHDz7B9BRi3+HcU8pdrNoq
1nZY4OJEffzyVfANUvANk65/zMk881dvoVJq0SYdHceOPwoUP5hLeuaR6wqgJhuP
O9gtwRA8duxOQs5dxmh+REdJAIr988Kmr4V83w7ANzFubWnJFAE1CgpoIKP3Fsed
vLJYIsNfofWwEOLHTVAXYMWZhBofYz9Z5HwCBUZk427Yhk8zWGzzhzKTeHpMN4pt
9qgBUgH9+kR0rPeXQrjhQVS1WAbe9BCoomZoGYnjddoXEtr8Lz251tzWxFM9XcAt
OQuRmg3qYJP0QyocVt+TK13HwKgZneIIGgr/4qtsu7FQgbWRwGqX9GPxpshRyO8H
ToJWlqTDQCM2YLqbJWDt9Jdram1JcEXNDiJh1mAKq4/ftaD+eDi32B81p51AVusv
yG40U54iYGTPETvTIQHZB/kMRzj+ZcOviebTCW6vpeGw72FqMhGki4DNGGHe+ZRb
SvSEiDrjpz2Zyv8GRg4qC3axeS4dDGQ3Iv+7MOwPtufs47vZQrcaq5QGQYMaJpAh
mxCTiAfriRC1LycAVwZaNEyGFUTx03Xd1f6XX2+Yw0L1rQIeCjWkMYKo9OPQHe6a
O65pYjt6pNh/n0D0qejS3Kr6DK4ZtwQRbt1icbXcvCypYM4t53L8EsSF1oTTXaRw
aObEpS78q5B5i/vjTIR2
=X86R
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 24 Apr 2012 07:37:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:04:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.