Summary: | <kde-base/kget-{4.3.3-r1, 4.3.5-r1}: Directory Traversal (CVE-2010-{1000,1511}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Maciej Mrozowski <reavertm> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.kde.org/info/security/advisory-20100513-1.txt | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Maciej Mrozowski
2010-05-14 15:45:39 UTC
Rating; adapting whiteboard, summary and severity. amd64/x86 stable alpha/ia64/sparc don't have kde stable yet CVE-2010-1000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1000): Directory traversal vulnerability in KGet in KDE SC 4.0.0 through 4.4.3 allows remote attackers to create arbitrary files via directory traversal sequences in the name attribute of a file element in a metalink file. CVE-2010-1511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1511): KGet 2.4.2 in KDE SC 4.0.0 through 4.4.3 does not properly request download confirmation from the user, which makes it easier for remote attackers to overwrite arbitrary files via a crafted metalink file. neither does ppc64 Marked ppc stable, removing ppc64 since it doesn't have a stable kde4. Is fixed in 4.4.4 ready for glsa GLSA Vote: yes. Vote: YES, glsa request filed. removing KDE, CC us back if you need anything <kget-4.3.5 long gone from tree.. This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle). |