Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 386055 (CVE-2011-2725)

Summary: <kde-base/ark-4.7.4 Directory Traversal Vulnerability (CVE-2011-2725)
Product: Gentoo Security Reporter: Sean Amoss (RETIRED) <ackle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/45378
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 377465, 396359    
Bug Blocks:    

Description Sean Amoss (RETIRED) gentoo-dev Security 2011-10-07 11:32:09 UTC 
From $URL:

"A weakness has been reported in Ark, which can be exploited by malicious people to manipulate certain data.

The weakness is caused due to an input validation error when viewing files in ZIP archives, which can be exploited to display and delete arbitrary files via the "../" directory traversal sequence.

The weakness is reported in version 2.16. Other versions may also be affected."

The advisory does not list the fixed version, nor does the disclosure at:
http://seclists.org/fulldisclosure/2011/Oct/351
Comment 1 Maciej Mrozowski gentoo-dev 2011-10-20 00:15:33 UTC 
Fixed in:
ark-4.6.5-r1
ark-4.7.1-r1
ark-4.7.2-r1
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2011-10-20 01:44:02 UTC 
(In reply to comment #1)
> Fixed in:
> ark-4.6.5-r1
> ark-4.7.1-r1
> ark-4.7.2-r1

Maciej, I see that these versions are in the tree. Are they ready for stabilization?
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2011-10-20 20:28:28 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > Fixed in:
> > ark-4.6.5-r1
(...)
> 
> Maciej, I see that these versions are in the tree. Are they ready for
> stabilization?

kde-base/ark-4.6.5-r1 is ready.
 
Arches please stabilize, target "amd64 x86" and "ppc" as soon as they get around stabilizing 4.6.5 in general. :|
Comment 4 Agostino Sarubbo gentoo-dev 2011-10-20 20:37:22 UTC 
amd64 ok
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-22 07:20:14 UTC 
x86 stable
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-10-22 13:17:02 UTC 
ditto Ago
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-10-22 18:56:44 UTC 
amd64 done. Thanks Agostino and Ian
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2011-11-04 22:50:06 UTC 
AFAIK ppc is not going to stabilize 4.6.5, it makes no sense for them given that 4.7 stabilzation is nearing.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-11-04 22:56:37 UTC 
(In reply to comment #8)
> AFAIK ppc is not going to stabilize 4.6.5, it makes no sense for them given
> that 4.7 stabilzation is nearing.

Ok thanks. We'll wait on 388279.
Comment 10 Johannes Huber (RETIRED) gentoo-dev 2012-02-21 12:56:00 UTC 
<kde-base/ark-4.6.5-r1 removed from tree.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-09 12:57:29 UTC 
Thanks, everyone. GLSA vote: no.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2012-03-11 06:57:25 UTC 
GLSA Vote: yes.
Comment 13 Andreas K. Hüttel archtester gentoo-dev 2012-04-03 21:11:05 UTC 
Thanks guys. Nothing left to do for kde.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 16:00:01 UTC 
NO too, closing.