Summary: | <kde-misc/kdirstat-2.7.5 : insufficient quote escaping leading to arbitrary command execution (CVE-2014-{2527,2528}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/03/17/2 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-03-18 16:52:59 UTC
Version bumped. Go ahead with stabilization. +*kdirstat-2.7.5 (18 Mar 2014) + + 18 Mar 2014; Johannes Huber <johu@gentoo.org> +kdirstat-2.7.5.ebuild: + Version bump wrt bug #504994. + Arches, please test and mark stable: =kde-misc/kdirstat-2.7.5 Target keywords : "amd64 x86" amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. + 19 Mar 2014; Michael Palimaka <kensington@gentoo.org> -kdirstat-2.7.3.ebuild: + Remove old version vulnerable to CVE-2014-2527 wrt bug #504994. Thanks all. Removing kde from cc as it is nothing to do for us anymore. GLSA request filed This issue was resolved and addressed in GLSA 201406-15 at http://security.gentoo.org/glsa/glsa-201406-15.xml by GLSA coordinator Mikle Kolyada (Zlogene). CVE-2014-2528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2528): kcleanup.cpp in KDirStat 2.7.3 does not properly quote strings when deleting a directory, which allows remote attackers to execute arbitrary commands via a ' (single quote) character in the directory name, a different vulnerability than CVE-2014-2527. CVE-2014-2527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2527): kcleanup.cpp in KDirStat 2.7.0 does not properly quote strings when deleting a directory, which allows remote attackers to execute arbitrary commands via a " (double quote) character in the directory name, a different vulnerability than CVE-2014-2528. |