Debian Bug report logs -
#439837
CVE-2007-4400: CRLF injection vulnerability
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Mon, 27 Aug 2007 20:27:01 UTC
Severity: minor
Tags: security
Found in version konversation/1.0.1-1
Fixed in versions 1.0.1+svn691548-1, konversation/1.0.1-4
Done: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#439837; Package konversation.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: konversation
Version: 1.0.1-1
Severity: minor
Tags: security
A vulnerability has been found in conversation. From CVE-2007-4400:
"CRLF injection vulnerability in the included media script in
Konversation allows user-assisted remote attackers to execute
arbitrary IRC commands via CRLF sequences in the name of the song in a
.mp3 file."
Severity minor since the attack vector is rather obscure.
Please mention the CVE id in the changelog.
Reply sent to Modestas Vainius <modestas@vainius.eu>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 439837-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.0.1+svn691548-1
Hi,
The bug was fixed on the 6th of November, 2006 (svn commits #602433 and
#602435) hence the fix is included in this upstream SVN snapshot.
--
Modestas Vainius <modestas@vainius.eu>
[signature.asc (application/pgp-signature, inline)]
Reply sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 439837-close@bugs.debian.org (full text, mbox, reply):
Source: konversation
Source-Version: 1.0.1-4
We believe that the bug you reported is fixed in the latest version of
konversation, which is due to be installed in the Debian FTP archive:
konversation-dbg_1.0.1-4_amd64.deb
to pool/main/k/konversation/konversation-dbg_1.0.1-4_amd64.deb
konversation_1.0.1-4.diff.gz
to pool/main/k/konversation/konversation_1.0.1-4.diff.gz
konversation_1.0.1-4.dsc
to pool/main/k/konversation/konversation_1.0.1-4.dsc
konversation_1.0.1-4_amd64.deb
to pool/main/k/konversation/konversation_1.0.1-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439837@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org> (supplier of updated konversation package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 30 Aug 2007 12:07:06 +0300
Source: konversation
Binary: konversation-dbg konversation
Architecture: source amd64
Version: 1.0.1-4
Distribution: unstable
Urgency: low
Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Changed-By: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Description:
konversation - user friendly Internet Relay Chat (IRC) client for KDE
konversation-dbg - debugging symbols for konversation
Closes: 439837
Changes:
konversation (1.0.1-4) unstable; urgency=low
.
[ Modestas Vainius ]
* Add new patches:
- 15_CVE-2007-4400.diff to fix CVE-2007-4400 vulnerability.
The patch is based on upstream SVN commits #602433 and #602435
(Closes: #439837).
- 16_konversation_desktop.diff to remove X-SuSE-IRCClient from
konversation.desktop Categories to shut lintian up.
* Change Debian menu section to Applications/Network/Communication.
Files:
48b06392c1f24f568bb11c9168fa08c0 814 kde optional konversation_1.0.1-4.dsc
ea53191c635c9fc788f41971d9f82557 328829 kde optional konversation_1.0.1-4.diff.gz
7799919dd04e47db6816c2cf1854796b 6537740 kde optional konversation_1.0.1-4_amd64.deb
423a1dfa906d6f2c339fcc05f8be44e1 5005704 kde extra konversation-dbg_1.0.1-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero
iD8DBQFG1pNRn3j4POjENGERAlCrAJ9hulPYgQrE10DJ8o1gLoU8OHWgxACfbeC0
fUqian0yXmzC15jCOmqme3Y=
=hNnA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 Oct 2007 07:27:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:29:43 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon