363881 – (CVE-2011-1586) <kde-base/kget-4.6.2-r1: Directory traversal vulnerability (CVE-2011-1586)

Bug 363881 (CVE-2011-1586) - <kde-base/kget-4.6.2-r1: Directory traversal vulnerability (CVE-2011-1586)

Summary: <kde-base/kget-4.6.2-r1: Directory traversal vulnerability (CVE-2011-1586)

Status:	RESOLVED FIXED

Alias:	CVE-2011-1586

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugs.launchpad.net/ubuntu/+so...
Whiteboard:	B3 [noglsa]
Keywords:

Duplicates (1):	386295 (view as bug list)
Depends on:	354033
Blocks:
	Show dependency tree

Reported:	2011-04-16 21:15 UTC by Tim Sammut (RETIRED)
Modified:	2012-03-10 23:06 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2011-04-16 21:15:24 UTC

The Ubuntu bug at $URL references a new, more complete fix for CVE-2010-1000. And states:

KDE has updated the fix for CVE-2010-1000.
The previous patch still allows up traversal at the beginning, e.g. "../foo/bar".

The upstream fixes are at: 

http://websvn.kde.org/?view=revision&revision=1227468
http://websvn.kde.org/?view=revision&revision=1227469

Comment 1 Andreas K. Hüttel archtester

2011-05-14 13:46:18 UTC

Added as patch in kget-4.6.2-r1. (kget-4.6.3 already includes the fix.)
ppc will be handled directly in the kde stabilization bug.


x86 and amd64, please stabilize kde-base/kget-4.6.2-r1

Comment 2 Agostino Sarubbo gentoo-dev

2011-05-14 14:51:58 UTC

works on amd64

Comment 3 Christoph Mende (RETIRED) gentoo-dev

2011-05-15 07:49:56 UTC

amd64 stable

Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-05-15 16:24:20 UTC

x86 stable

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2011-05-15 16:34:45 UTC

Thanks, everyone. GLSA Vote: No.

Comment 6 Andreas K. Hüttel archtester

2011-05-15 16:47:39 UTC

Thanks everyone.

Comment 7 Alex Legler (RETIRED) archtester

2011-05-15 16:49:29 UTC

NO too, closing.

Comment 8 Sean Amoss (RETIRED) gentoo-dev

2012-03-10 23:06:48 UTC

*** Bug 386295 has been marked as a duplicate of this bug. ***