Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 604846 (CVE-2017-5330) - <kde-apps/ark-{16.08.3-r1,16.12.0-r1}: shell script execution (CVE-2017-5330)
Summary: <kde-apps/ark-{16.08.3-r1,16.12.0-r1}: shell script execution (CVE-2017-5330)
Status: RESOLVED FIXED
Alias: CVE-2017-5330
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.kde.org/show_bug.cgi?id=...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-06 15:45 UTC by Michael Palimaka (kensington)
Modified: 2017-01-29 16:27 UTC (History)
4 users (show)

See Also:
Package list:
=kde-apps/ark-16.08.3-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Palimaka (kensington) gentoo-dev 2017-01-06 15:45:31 UTC
From $URL:

When an archive includes an executable shell script and the user chose to open files in their associated applications, clicking on those scripts runs them.

As there is no indication (except the small icon in some cases) of the file being executable, this is highly misleading and even dangerous.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-06 16:04:35 UTC
@ Maintainer(s): Patched version not yet released; Patches for both versions in Gentoo repository available, see $URL.
Comment 2 Andreas Sturmlechner gentoo-dev 2017-01-07 13:23:53 UTC
Bumped 16.12.0-r1 and 16.08.3-r1 with the fix and verified with the upstream tar.gz example, dropped affected 16.12.0. 16.08.3-r1 should then be stabilised.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-07 14:18:32 UTC
@ Maintainer(s): Thank you for the rev bump!


@ Arches,

please test and mark stable: =kde-apps/ark-16.08.3-r1
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-01-08 04:45:34 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 13:30:00 UTC
CVE assignment: http://seclists.org/oss-sec/2017/q1/46
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-01-10 14:47:03 UTC
(In reply to Thomas Deutschmann from comment #5)
> CVE assignment: http://seclists.org/oss-sec/2017/q1/46

So upstream is not trying to embargo. Good enough for me.
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-13 15:43:57 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Michael Palimaka (kensington) gentoo-dev 2017-01-13 16:32:36 UTC
Cleanup done.
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-20 15:22:55 UTC
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 16:27:17 UTC
This issue was resolved and addressed in
 GLSA 201701-69 at https://security.gentoo.org/glsa/201701-69
by GLSA coordinator Thomas Deutschmann (whissi).