Debian Bug report logs -
#850874
ark: CVE-2017-5330: Unintended execution of scripts and executable files
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#850874; Package src:ark.
(Tue, 10 Jan 2017 20:03:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Tue, 10 Jan 2017 20:03:14 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ark
Version: 4:16.08.3-1
Severity: grave
Tags: upstream patch security fixed-upstream
Justification: user security hole
Forwarded: https://bugs.kde.org/show_bug.cgi?id=374572
Hi,
the following vulnerability was published for ark.
CVE-2017-5330[0]:
unintended execution of scripts and executable files
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5330
[1] https://bugs.kde.org/show_bug.cgi?id=374572
[2] https://cgit.kde.org/ark.git/commit/?id=82fdfd24d46966a117fa625b68784735a40f9065
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#850874; Package src:ark.
(Wed, 11 Jan 2017 19:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Wed, 11 Jan 2017 19:09:07 GMT) (full text, mbox, link).
Message #10 received at 850874@bugs.debian.org (full text, mbox, reply):
Hi
For jessie: I think the issue was only introduce after the "Open File"
action was introduced, which is post 15.11.80. Would be great if you
can confirm that.
Regards,
Salvatore
Marked as found in versions ark/4:16.08.2-1.
Request was from Adrian Bunk <bunk@debian.org>
to control@bugs.debian.org.
(Sat, 14 Jan 2017 01:03:03 GMT) (full text, mbox, link).
Added tag(s) stretch-ignore.
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org.
(Sat, 04 Feb 2017 10:30:08 GMT) (full text, mbox, link).
Reply sent
to Maximiliano Curia <maxy@debian.org>:
You have taken responsibility.
(Fri, 10 Feb 2017 15:51:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 10 Feb 2017 15:51:11 GMT) (full text, mbox, link).
Message #19 received at 850874-close@bugs.debian.org (full text, mbox, reply):
Source: ark
Source-Version: 4:16.08.3-2
We believe that the bug you reported is fixed in the latest version of
ark, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850874@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Maximiliano Curia <maxy@debian.org> (supplier of updated ark package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Feb 2017 16:29:46 +0100
Source: ark
Binary: ark
Architecture: source
Version: 4:16.08.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Maximiliano Curia <maxy@debian.org>
Description:
ark - archive utility
Closes: 850874
Changes:
ark (4:16.08.3-2) unstable; urgency=medium
.
* Add new patch: Stop-running-executables-when-opening-urls.patch (CVE-2017-5330)
Thanks to Salvatore Bonaccorso for reporting (Closes: 850874)
Checksums-Sha1:
f2faa9741c382620460d46e05dc806d338edf66e 2709 ark_16.08.3-2.dsc
9403875bc224c24eceaf3327b85fccba36857e68 7968 ark_16.08.3-2.debian.tar.xz
ba4f25b142349014a3a284fdc4daf47c95fdd179 11871 ark_16.08.3-2_source.buildinfo
Checksums-Sha256:
519d1b6547f3e056653174dbe1da58512588f2bd462f370adc4fbd540e9123b3 2709 ark_16.08.3-2.dsc
5de7ca0021eff1a1aadace0ea985c388bd060f924af0d5aaa38f3a2593fcd80e 7968 ark_16.08.3-2.debian.tar.xz
642dee3a297d1eac3631121cb6a8ad5cc61c28eb7a200496e0bb1821fa812db6 11871 ark_16.08.3-2_source.buildinfo
Files:
6a5a531454dd96b7f9d8514617a60539 2709 kde optional ark_16.08.3-2.dsc
9e1531880f08338487b6d490073149a3 7968 kde optional ark_16.08.3-2.debian.tar.xz
862108aaf2853acacf1caf49e1102220 11871 kde optional ark_16.08.3-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+JIdOnQEyG4RNSIVxxl2mbKbIyoFAlid3KIACgkQxxl2mbKb
Iyr9Ow//dAdqV83y9P5/QbqT9d3rMvmPfPinWZxC7k3hefxg4XFJR76r3ozVQ/ay
6Xgbg6ZGe/YGmFbCnN7jirYEtdx85Gc/yUbVQKFxfc0hhZSctUM4c8wJZSiY8K6C
W6BX2YAesVBzVjU6OAWWKGnIs6MNr8HUtIwOrDxPl8C1VByI0XW8QzQVh4I5mcAn
qHSnpt6E7mOhSHciTs8HFTzlCA2AdlIrffTmSw6NY2mI+tMj6DUITFC9/TfqviqE
bTKEUkDtqUk3Flvl3w/UsG8uq59yVx6y0WREROcPXuQCRBgzDYyfI4pS3Psihs1B
NcEQjE9BHMmxO7w43m4nCMMqTa3810tYgKszpbib7wTU72mrh+sHnoHWT7GNv3A6
7eA1IIlhOUfsMu4+6h4v3mJsrnu75KyUpp/wt2jBre19QssKPlwAwVYHVYyWgTAP
/f1CBcwTUSxzYvm3Yoj/ry7Ee0RRSvyb3ly57gWB578Vr9JGogOvNE5Rnf2MH7VE
W6mPjdnRDHAT5uWWE7z3U7helxxLufq2nrhHWyjprgVAnH7Xgm0O7HSUX3Y8YhgS
QY6cV1RaX1TP9NxYfgE3XDBFWYyMMD7BnI0kRwnqtqvj0kyU7Z0RsmpQcjlujF8z
hQL1GMYHlu3bNKedcuUuRuROaaL0+BNs4IKZRHsJA/nRYElb14g=
=5Oqi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 11 Mar 2017 07:30:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:18:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon