Debian Bug report logs -
#769632
kde-runtime: CVE-2014-8600: Insufficient Input Validation By IO Slaves and Webkit Part
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 15 Nov 2014 07:42:02 UTC
Severity: normal
Tags: fixed-upstream, patch, security, upstream
Found in version kde-runtime/4:4.8.4-2
Fixed in version kde-runtime/4:4.14.2-2
Done: Maximiliano Curia <maxy@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#769632; Package src:kde-runtime.
(Sat, 15 Nov 2014 07:42:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Sat, 15 Nov 2014 07:42:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: kde-runtime
Version: 4:4.8.4-2
Severity: normal
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for kde-runtime.
CVE-2014-8600[0]:
Insufficient Input Validation By IO Slaves and Webkit Part
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8600
[1] https://www.kde.org/info/security/advisory-20141113-1.txt
[2] http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=d68703900edc8416fbcd2550cd336cbbb76decb9
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#769632; Package src:kde-runtime.
(Tue, 09 Dec 2014 21:21:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Tue, 09 Dec 2014 21:21:11 GMT) (full text, mbox, link).
Message #10 received at 769632@bugs.debian.org (full text, mbox, reply):
On Sat, Nov 15, 2014 at 08:25:41AM +0100, Salvatore Bonaccorso wrote:
> Source: kde-runtime
> Version: 4:4.8.4-2
> Severity: normal
> Tags: security upstream patch fixed-upstream
>
> Hi,
>
> the following vulnerability was published for kde-runtime.
>
> CVE-2014-8600[0]:
> Insufficient Input Validation By IO Slaves and Webkit Part
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Could you please fix this for jessie?
Cheers,
Moritz
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2014-8600
> [1] https://www.kde.org/info/security/advisory-20141113-1.txt
> [2] http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=d68703900edc8416fbcd2550cd336cbbb76decb9
>
> Regards,
> Salvatore
>
>
Reply sent
to Maximiliano Curia <maxy@debian.org>:
You have taken responsibility.
(Wed, 10 Dec 2014 21:24:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 10 Dec 2014 21:24:22 GMT) (full text, mbox, link).
Message #15 received at 769632-close@bugs.debian.org (full text, mbox, reply):
Source: kde-runtime
Source-Version: 4:4.14.2-2
We believe that the bug you reported is fixed in the latest version of
kde-runtime, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 769632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Maximiliano Curia <maxy@debian.org> (supplier of updated kde-runtime package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 10 Dec 2014 20:23:02 +0100
Source: kde-runtime
Binary: kde-runtime kdebase-runtime kde-runtime-data khelpcenter4 plasma-scriptengine-javascript kde-runtime-dbg kdebase-runtime-dbg
Architecture: source amd64 all
Version: 4:4.14.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Maximiliano Curia <maxy@debian.org>
Description:
kde-runtime - runtime components from the official KDE release
kde-runtime-data - shared data files for the KDE base runtime module
kde-runtime-dbg - debugging symbols for KDE base runtime module
kdebase-runtime - Transitional package for the KDE runtime components
kdebase-runtime-dbg - transitional package for kde-runtime-dbg
khelpcenter4 - help center
plasma-scriptengine-javascript - JavaScript script engine for Plasma
Closes: 769632
Changes:
kde-runtime (4:4.14.2-2) unstable; urgency=medium
.
[ Lisandro Damián Nicanor Pérez Meyer ]
* Remove myself from Uploaders.
.
[ Maximiliano Curia ]
* New upstream patch: upstream_sanitize_path, fixes CVE-2014-8600
(Closes: #769632) Thanks to Salvatore Bonaccorso
Checksums-Sha1:
671dbee59c054961c88c591a45bf889c9092183c 3262 kde-runtime_4.14.2-2.dsc
7543f16da0547e28ba32c055049b99b60e687bb8 28368 kde-runtime_4.14.2-2.debian.tar.xz
031057f2f8f7621936c0650b96d540dfcc37be73 1875146 kde-runtime_4.14.2-2_amd64.deb
6a3f36e5b9ddbccb2911cb7f90cb10859ea6d54f 19790 kdebase-runtime_4.14.2-2_all.deb
5fe11f60b768168c51ceca83fa72cfe4460e35ba 6932120 kde-runtime-data_4.14.2-2_all.deb
9ab4ce7c4194dbdf1949942297fd382bbaeaec2c 340672 khelpcenter4_4.14.2-2_amd64.deb
48622c2f54104a254d96932f7896a7ff4948e60b 404802 plasma-scriptengine-javascript_4.14.2-2_amd64.deb
5f28faa43e0c6e38a533e7533f3f1360fcf0cd71 35774636 kde-runtime-dbg_4.14.2-2_amd64.deb
651946cf1ba8d132ab01567ae6a42761549094bc 19526 kdebase-runtime-dbg_4.14.2-2_all.deb
Checksums-Sha256:
1e1013d7ecf371bacd14c9a27a15dd70fd06770120ffbd3e617295fc98dc6c84 3262 kde-runtime_4.14.2-2.dsc
3a07eecdfca2487fe63906acae003206a7c00e5686741cd25a2eabe6f7d25b09 28368 kde-runtime_4.14.2-2.debian.tar.xz
1190bc91f0a0c49ea430837452fbdea54da697569e30c827426281382b2c2b93 1875146 kde-runtime_4.14.2-2_amd64.deb
9b045120f458018714188f7fd8b5ceff791d0a8b812b7abc3b6f00c0d51de618 19790 kdebase-runtime_4.14.2-2_all.deb
068a5aec6a6bbd97143b16c8e60af75a4ae8d26d418557b45d59b89335230598 6932120 kde-runtime-data_4.14.2-2_all.deb
e1de90d73320f883c1688edfe8b85b9b63b4d7fc41ce6bfb10b96c8d0102ca87 340672 khelpcenter4_4.14.2-2_amd64.deb
c4d03239553d8b1d1075f3560777fcfb3bb6ebd0322a780dff2fad4b0bc9e17d 404802 plasma-scriptengine-javascript_4.14.2-2_amd64.deb
8c4e4040dabbad25fe54829319c7a3d44ee919a592b5713019208d03ee14dce9 35774636 kde-runtime-dbg_4.14.2-2_amd64.deb
b6d473a0529cf2985adad2ee1b9b0278963f1fc9c3da5a9742a5cbc945b40086 19526 kdebase-runtime-dbg_4.14.2-2_all.deb
Files:
e4c09f6d4efe0c4f4561f442789c62f0 3262 kde optional kde-runtime_4.14.2-2.dsc
8b3ed2d706fa5f4803ffc1430ec20635 28368 kde optional kde-runtime_4.14.2-2.debian.tar.xz
4fb4f1c6c45e6b0049271fa641a40648 1875146 kde optional kde-runtime_4.14.2-2_amd64.deb
2ff2bee53731f6969849510602330873 19790 oldlibs extra kdebase-runtime_4.14.2-2_all.deb
729cd45d8bec137141a875637a9c7104 6932120 kde optional kde-runtime-data_4.14.2-2_all.deb
13c09f2cc79a935d00cfdc2cebd4df9c 340672 kde optional khelpcenter4_4.14.2-2_amd64.deb
bcf814a87e0f55427a041e9d97268f97 404802 kde optional plasma-scriptengine-javascript_4.14.2-2_amd64.deb
98329fd6ab2afb9c29f549f131f7f395 35774636 debug extra kde-runtime-dbg_4.14.2-2_amd64.deb
2508d94f3ac4474817575d811444c2f3 19526 oldlibs extra kdebase-runtime-dbg_4.14.2-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUiKpYAAoJEMcZdpmymyMqF18QALWbnAOGiTev/RFmZ9BXiOCG
2dZtUez9gk+ZfZmORpLQFzqQf0Prqqj8NoLVpVu1ztVYe4bJO4dKv27e6f07aYLk
x3ycc25FGO07+zJ8rd0xr/p+WjYbzI7kxgMQU74Fd/Tl94t5SBcETyGp0xyZWu6M
WSXh8puQ4sGEV1DaOUZZCWAoca22uPvPnIKvGK+JGXUW1VdeK2diyjuDFiRQfFgW
SrkOPpnFupABei5uMJHfwyjJ2SzZ8zWTLV+okC4Wx3n926ZRftxE7P7/hHuBSlCj
84xMJuuxYKT5WIMxLHgCAFUCbYISxYBtrTeeW/P//Hpqgse3fxTjdKYerDjygvfa
KNcfP/gc0ZBQ4aM/oiENuje112yFGRP9gvHtihvTZw07mZk8uYrzVf+lE7K9JZP2
rMgNDU1f9zrAtLFWJTsoTKdSl2cHg7JO/GSnEYW86uQ4mLi1m0fweapC9Q9HzGPc
riqznywNhfO8lAcRSobEfi+lpUuy3IQEcFi+sEjTys7t+CTUTaWS6wOvO14Q7coG
GHgyZNZWfDkuLCdNp5S7tVrUTq2IyLZCbvDgHE5vE6e9Hw2r9lryGIsbW1UC8Rnx
lW6PqA0D/bM2uV4du0pl3u65UEhRh4vl3/iuZR8mnQXq9KGoyj4J95ZKVBTA7Rh/
cdKGatituyS6cevgeSjg
=YC9s
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 13 Jan 2015 07:27:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:43:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon