From ${URL} : Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) tool did not correctly escape quotes when deleting a directory permanently. Attempting to use KDirStat to permanently delete a directory that has a malicious name could result in arbitrary command execution. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659 The Debian report is about single quotes. On Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were needed. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Version bumped. Go ahead with stabilization. +*kdirstat-2.7.5 (18 Mar 2014) + + 18 Mar 2014; Johannes Huber <johu@gentoo.org> +kdirstat-2.7.5.ebuild: + Version bump wrt bug #504994. +
Arches, please test and mark stable: =kde-misc/kdirstat-2.7.5 Target keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
+ 19 Mar 2014; Michael Palimaka <kensington@gentoo.org> -kdirstat-2.7.3.ebuild: + Remove old version vulnerable to CVE-2014-2527 wrt bug #504994.
Thanks all. Removing kde from cc as it is nothing to do for us anymore.
GLSA request filed
This issue was resolved and addressed in GLSA 201406-15 at http://security.gentoo.org/glsa/glsa-201406-15.xml by GLSA coordinator Mikle Kolyada (Zlogene).
CVE-2014-2528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2528): kcleanup.cpp in KDirStat 2.7.3 does not properly quote strings when deleting a directory, which allows remote attackers to execute arbitrary commands via a ' (single quote) character in the directory name, a different vulnerability than CVE-2014-2527. CVE-2014-2527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2527): kcleanup.cpp in KDirStat 2.7.0 does not properly quote strings when deleting a directory, which allows remote attackers to execute arbitrary commands via a " (double quote) character in the directory name, a different vulnerability than CVE-2014-2528.