Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 386055 (CVE-2011-2725) - <kde-base/ark-4.7.4 Directory Traversal Vulnerability (CVE-2011-2725)
Summary: <kde-base/ark-4.7.4 Directory Traversal Vulnerability (CVE-2011-2725)
Status: RESOLVED FIXED
Alias: CVE-2011-2725
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/45378
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 377465 396359
Blocks:
  Show dependency tree
 
Reported: 2011-10-07 11:32 UTC by Sean Amoss (RETIRED)
Modified: 2012-08-14 16:00 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-10-07 11:32:09 UTC 
From $URL:

"A weakness has been reported in Ark, which can be exploited by malicious people to manipulate certain data.

The weakness is caused due to an input validation error when viewing files in ZIP archives, which can be exploited to display and delete arbitrary files via the "../" directory traversal sequence.

The weakness is reported in version 2.16. Other versions may also be affected."

The advisory does not list the fixed version, nor does the disclosure at:
http://seclists.org/fulldisclosure/2011/Oct/351
Comment 1 Maciej Mrozowski gentoo-dev 2011-10-20 00:15:33 UTC 
Fixed in:
ark-4.6.5-r1
ark-4.7.1-r1
ark-4.7.2-r1
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2011-10-20 01:44:02 UTC 
(In reply to comment #1)
> Fixed in:
> ark-4.6.5-r1
> ark-4.7.1-r1
> ark-4.7.2-r1

Maciej, I see that these versions are in the tree. Are they ready for stabilization?
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2011-10-20 20:28:28 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > Fixed in:
> > ark-4.6.5-r1
(...)
> 
> Maciej, I see that these versions are in the tree. Are they ready for
> stabilization?

kde-base/ark-4.6.5-r1 is ready.
 
Arches please stabilize, target "amd64 x86" and "ppc" as soon as they get around stabilizing 4.6.5 in general. :|
Comment 4 Agostino Sarubbo gentoo-dev 2011-10-20 20:37:22 UTC 
amd64 ok
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-22 07:20:14 UTC 
x86 stable
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-10-22 13:17:02 UTC 
ditto Ago
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-10-22 18:56:44 UTC 
amd64 done. Thanks Agostino and Ian
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2011-11-04 22:50:06 UTC 
AFAIK ppc is not going to stabilize 4.6.5, it makes no sense for them given that 4.7 stabilzation is nearing.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-11-04 22:56:37 UTC 
(In reply to comment #8)
> AFAIK ppc is not going to stabilize 4.6.5, it makes no sense for them given
> that 4.7 stabilzation is nearing.

Ok thanks. We'll wait on 388279.
Comment 10 Johannes Huber (RETIRED) gentoo-dev 2012-02-21 12:56:00 UTC 
<kde-base/ark-4.6.5-r1 removed from tree.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-09 12:57:29 UTC 
Thanks, everyone. GLSA vote: no.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2012-03-11 06:57:25 UTC 
GLSA Vote: yes.
Comment 13 Andreas K. Hüttel archtester gentoo-dev 2012-04-03 21:11:05 UTC 
Thanks guys. Nothing left to do for kde.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 16:00:01 UTC 
NO too, closing.