Debian Bug report logs -
#832620
kde4libs: CVE-2016-6232: Extraction of tar files possible to arbitrary system locations
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 27 Jul 2016 15:33:02 UTC
Severity: important
Tags: security, upstream
Found in version kde4libs/4:4.8.4-4
Fixed in versions kde4libs/4:4.8.4-4+deb7u2, kde4libs/4:4.14.22-2, kde4libs/4:4.14.2-5+deb8u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#832620
; Package src:kde4libs
.
(Wed, 27 Jul 2016 15:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Wed, 27 Jul 2016 15:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: kde4libs
Version: 4:4.8.4-4
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for kde4libs.
CVE-2016-6232[0]:
Extraction of tar files possible to arbitrary system locations
Please note [1], were Balint noticed that the patch in 4:4.14.22-1 was
incomplete.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6232
[1] https://lists.debian.org/debian-lts/2016/07/msg00144.html
Regards,
Salvatore
Marked as fixed in versions kde4libs/4:4.8.4-4+deb7u2.
Request was from Bálint Réczey <balint@balintreczey.hu>
to control@bugs.debian.org
.
(Sat, 30 Jul 2016 00:09:04 GMT) (full text, mbox, link).
Marked as fixed in versions kde4libs/4:4.14.22-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 01 Aug 2016 19:06:07 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Tue, 16 Aug 2016 22:36:34 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 16 Aug 2016 22:36:34 GMT) (full text, mbox, link).
Message #14 received at 832620-close@bugs.debian.org (full text, mbox, reply):
Source: kde4libs
Source-Version: 4:4.14.2-5+deb8u1
We believe that the bug you reported is fixed in the latest version of
kde4libs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832620@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated kde4libs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Aug 2016 15:33:57 +0200
Source: kde4libs
Binary: libkdecore5 libkdeui5 libkpty4 libkdesu5 libkjsapi4 libkjsembed4 libkio5 libkntlm4 libsolid4 libkde3support4 libkfile4 libknewstuff2-4 libknewstuff3-4 libkparts4 libkutils4 libthreadweaver4 libkhtml5 libkimproxy4 libkmediaplayer4 libktexteditor4 libknotifyconfig4 libkdnssd4 libkrosscore4 libkrossui4 libnepomuk4 libnepomukutils4 libnepomukquery4a libplasma3 libkunitconversion4 libkdewebkit5 libkcmutils4 libkemoticons4 libkidletime4 libkprintutils4 libkdeclarative5 kdelibs-bin kdelibs5-plugins kdelibs5-data kdoctools kdelibs5-dev kdelibs5-dbg
Architecture: all source
Version: 4:4.14.2-5+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 832620
Description:
kdelibs-bin - core executables for KDE Applications
kdelibs5-data - core shared data for all KDE Applications
kdelibs5-dbg - debugging symbols for the KDE Development Platform libraries
kdelibs5-dev - development files for the KDE Development Platform libraries
kdelibs5-plugins - core plugins for KDE Applications
kdoctools - various tools for accessing application documentation
libkcmutils4 - utility classes for using KCM modules
libkde3support4 - KDE 3 Support Library for the KDE 4 Platform
libkdeclarative5 - declarative library for plasma
libkdecore5 - KDE Platform Core Library
libkdesu5 - Console-mode Authentication Library for the KDE Platform
libkdeui5 - KDE Platform User Interface Library
libkdewebkit5 - KDE WebKit Library
libkdnssd4 - DNS-SD Protocol Library for the KDE Platform
libkemoticons4 - utility classes to deal with emoticon themes
libkfile4 - File Selection Dialog Library for KDE Platform
libkhtml5 - KHTML Web Content Rendering Engine
libkidletime4 - library to provide information about idle time
libkimproxy4 - Instant Messaging Interface Library for the KDE Platform
libkio5 - Network-enabled File Management Library for the KDE Platform
libkjsapi4 - KJS API Library for the KDE Development Platform
libkjsembed4 - library for binding JavaScript objects to QObjects
libkmediaplayer4 - KMediaPlayer Interface for the KDE Platform
libknewstuff2-4 - "Get Hot New Stuff" v2 Library for the KDE Platform
libknewstuff3-4 - "Get Hot New Stuff" v3 Library for the KDE Platform
libknotifyconfig4 - library for configuring KDE Notifications
libkntlm4 - NTLM Authentication Library for the KDE Platform
libkparts4 - Framework for the KDE Platform Graphical Components
libkprintutils4 - utility classes to deal with printing
libkpty4 - Pseudo Terminal Library for the KDE Platform
libkrosscore4 - Kross Core Library
libkrossui4 - Kross UI Library
libktexteditor4 - KTextEditor interfaces for the KDE Platform
libkunitconversion4 - Unit Conversion library for the KDE Platform
libkutils4 - dummy transitional library
libnepomuk4 - Nepomuk Meta Data Library
libnepomukquery4a - Nepomuk Query Library for the KDE Platform
libnepomukutils4 - Nepomuk Utility Library
libplasma3 - Plasma Library for the KDE Platform
libsolid4 - Solid Library for KDE Platform
libthreadweaver4 - ThreadWeaver Library for the KDE Platform
Changes:
kde4libs (4:4.14.2-5+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-6232: Extraction of tar files possible to arbitrary system
locations (Closes: #832620)
Checksums-Sha1:
8600a11bcefc5475689b6be885683fa9b09e52ca 5557 kde4libs_4.14.2-5+deb8u1.dsc
3b60a2458efec1081678f4cb0952f97c219b74b9 11597872 kde4libs_4.14.2.orig.tar.xz
cc25c248b8369332a816c441c9efff82254a8e1b 265356 kde4libs_4.14.2-5+deb8u1.debian.tar.xz
2897408d9ea4b15fb650195413c5c90d62859b39 2921374 kdelibs5-data_4.14.2-5+deb8u1_all.deb
Checksums-Sha256:
245543f3f32dbad57614ca10b04f9df7b0e3a9e65aff6098a395d11da0768856 5557 kde4libs_4.14.2-5+deb8u1.dsc
39745a77f019cc1280374aa5de02fbf961393d1045059aa811fc374e0afd895b 11597872 kde4libs_4.14.2.orig.tar.xz
02fe3ea76e3b59f554af762cf210841f9b1698673aabc1afdf7209fab0444b5a 265356 kde4libs_4.14.2-5+deb8u1.debian.tar.xz
927bbe2da34d01f176040bdb6cbaa44f01ce92d1d4b9d3ee8c479ad0595b2df1 2921374 kdelibs5-data_4.14.2-5+deb8u1_all.deb
Files:
187a03ca4fb4286a9161bb393f0ef525 5557 libs optional kde4libs_4.14.2-5+deb8u1.dsc
a0f5dff706c03ff19b99bc2c51f8de2c 11597872 libs optional kde4libs_4.14.2.orig.tar.xz
bcd00194b0f40e00de25166bff61578c 265356 libs optional kde4libs_4.14.2-5+deb8u1.debian.tar.xz
b970f4ef58da3a7c862a4364d7fc83d7 2921374 libs optional kdelibs5-data_4.14.2-5+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXpfNFAAoJEAVMuPMTQ89EcEMP/iWH2D4AHFx1Xz5tWP+RjNi+
1S2WpVjZP8oCJEVNxVFFvoaHuRpdNh4bxDtNt+oU1EB490Ks/XnD1Je0zNEGXC5u
FPZ1Pb0X0+otp2YYRclMMklw+57KE+a2BypHZgd/mbsTLEavbiucqqzmoUOwCarl
kDYDuLnSND9QgVDQhsv8KufK2dNqSISBZUuf+rbkppZFRYE1oluPvhUGeN+ZPr8V
QMqK24q/WO0WRsa8A8xvVeaWCcwu6/2wVA41fJe5/LRmIFo+URlckkKfGkZSoYB3
ghsCIaeNsIhCNBy8B6UrWj6HIhpNCLORTLtsMxuNOxj/Zbmij6bXg6mOaHijqNXF
CzyHkVIkbbabkokgDVsGln/WPN73gqRuRTE4aEBUF+yEBeW+Pg6n7zKct9KCjKrF
oXPxWMBglgp035cw9IZ4cM/LepN/nTLeheJAJB2dK/PBkME87DU52syGh078xkgK
H6a1bazPRKKt+4uaQwhAkfUDeykh7dfnYMBU75qO62mh43zVsVrpsLZAu5CAQ5ju
Eu8qNEUFkpTFsJWbfNynyWncydDme6KjFaeha/BYtLHY2fuZtjcp6aYwR9e05nUi
J9yu3w4wkSCRmPEtUsq4x8RQaZ0ZXZ2575dHD0825844I0yufxwWZmDgcrDPlRDe
85uDtSR27kJfx207iYJq
=6ncf
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 21 Sep 2016 07:27:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:06:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.