604846 – (CVE-2017-5330) <kde-apps/ark-{16.08.3-r1,16.12.0-r1}: shell script execution (CVE-2017-5330)

Bug 604846 (CVE-2017-5330) - <kde-apps/ark-{16.08.3-r1,16.12.0-r1}: shell script execution (CVE-2017-5330)

Summary: <kde-apps/ark-{16.08.3-r1,16.12.0-r1}: shell script execution (CVE-2017-5330)

Status:	RESOLVED FIXED

Alias:	CVE-2017-5330

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://bugs.kde.org/show_bug.cgi?id=...
Whiteboard:	B2 [glsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-01-06 15:45 UTC by Michael Palimaka (kensington)
Modified:	2017-01-29 16:27 UTC (History)
CC List:	4 users (show)

See Also:
Package list:	=kde-apps/ark-16.08.3-r1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Palimaka (kensington) gentoo-dev

2017-01-06 15:45:31 UTC

From $URL:

When an archive includes an executable shell script and the user chose to open files in their associated applications, clicking on those scripts runs them.

As there is no indication (except the small icon in some cases) of the file being executable, this is highly misleading and even dangerous.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-06 16:04:35 UTC

@ Maintainer(s): Patched version not yet released; Patches for both versions in Gentoo repository available, see $URL.

Comment 2 Andreas Sturmlechner gentoo-dev

2017-01-07 13:23:53 UTC

Bumped 16.12.0-r1 and 16.08.3-r1 with the fix and verified with the upstream tar.gz example, dropped affected 16.12.0. 16.08.3-r1 should then be stabilised.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-07 14:18:32 UTC

@ Maintainer(s): Thank you for the rev bump!


@ Arches,

please test and mark stable: =kde-apps/ark-16.08.3-r1

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-01-08 04:45:34 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-10 13:30:00 UTC

CVE assignment: http://seclists.org/oss-sec/2017/q1/46

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2017-01-10 14:47:03 UTC

(In reply to Thomas Deutschmann from comment #5)
> CVE assignment: http://seclists.org/oss-sec/2017/q1/46

So upstream is not trying to embargo. Good enough for me.

Comment 7 Agostino Sarubbo gentoo-dev

2017-01-13 15:43:57 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 8 Michael Palimaka (kensington) gentoo-dev

2017-01-13 16:32:36 UTC

Cleanup done.

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-20 15:22:55 UTC

New GLSA request filed.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2017-01-29 16:27:17 UTC

This issue was resolved and addressed in
 GLSA 201701-69 at https://security.gentoo.org/glsa/201701-69
by GLSA coordinator Thomas Deutschmann (whissi).