Bug 3122

Summary: Update candidate for kdeutils4 fixing CV 2011-2725 for ark
Product: Mageia Reporter: John Balcaen <balcaen.john>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: balcaen.john, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: Mageia 1   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description John Balcaen 2011-10-20 11:58:55 CEST 
This package provides a fix for CVE-2011-2725 regarding ark.

Advisory :
« This packages provides a fix for CVE-2011-2725 in ark where the previewer dialog would show (and then remove) the wrong file when a maliciously crafted archive had a file previewed.»

SRPM: kdeutils4-4.6.5-1.1.mga1.src.rpm

x86_64 :
ark-4.6.5-1.1.mga1.x86_64.rpm                                                   filelight-4.6.5-1.1.mga1.x86_64.rpm
kcalc-4.6.5-1.1.mga1.x86_64.rpm
kcharselect-4.6.5-1.1.mga1.x86_64.rpm
kdeutils4-4.6.5-1.1.mga1.x86_64.rpm
kdeutils4-devel-4.6.5-1.1.mga1.x86_64.rpm
kdf-4.6.5-1.1.mga1.x86_64.rpm
kfloppy-4.6.5-1.1.mga1.x86_64.rpm
kgpg-4.6.5-1.1.mga1.x86_64.rpm
kremotecontrol-4.6.5-1.1.mga1.x86_64.rpm
ktimer-4.6.5-1.1.mga1.x86_64.rpm
kwallet-4.6.5-1.1.mga1.x86_64.rpm
lib64kerfuffle4-4.6.5-1.1.mga1.x86_64.rpm
lib64libkremotecontrol1-4.6.5-1.1.mga1.x86_64.rpm
lib64superkaramba4-4.6.5-1.1.mga1.x86_64.rpm
superkaramba-4.6.5-1.1.mga1.x86_64.rpm
sweeper-4.6.5-1.1.mga1.x86_64.rpm

i586
ark-4.6.5-1.1.mga1.i586.rpm                                                                                                                                                                                    
filelight-4.6.5-1.1.mga1.i586.rpm
kcalc-4.6.5-1.1.mga1.i586.rpm
kcharselect-4.6.5-1.1.mga1.i586.rpm
kdeutils4-4.6.5-1.1.mga1.i586.rpm
kdeutils4-devel-4.6.5-1.1.mga1.i586.rpm
kdf-4.6.5-1.1.mga1.i586.rpm
kfloppy-4.6.5-1.1.mga1.i586.rpm
kgpg-4.6.5-1.1.mga1.i586.rpm
kremotecontrol-4.6.5-1.1.mga1.i586.rpm
ktimer-4.6.5-1.1.mga1.i586.rpm
kwallet-4.6.5-1.1.mga1.i586.rpm
libkerfuffle4-4.6.5-1.1.mga1.i586.rpm
liblibkremotecontrol1-4.6.5-1.1.mga1.i586.rpm
libsuperkaramba4-4.6.5-1.1.mga1.i586.rpm
superkaramba-4.6.5-1.1.mga1.i586.rpm
sweeper-4.6.5-1.1.mga1.i586.rpm


Regards,
Comment 1 John Balcaen 2011-10-20 12:00:04 CEST 
QA should check that ark is still working after this patch :)

CC: (none) => balcaen.john
Target Milestone: --- => Mageia 1

Comment 2 claire robinson 2011-10-20 17:39:33 CEST 
Exploit instructions are here 

http://packetstormsecurity.org/files/105610/NDSA20110726.txt


i586:

Confirmed exploit and updated. 

Confirmed fix. Tested Ark with several file types.

All Ok.
Comment 3 claire robinson 2011-10-20 17:52:21 CEST 
Tested OK x86_64 too, various file types.

Update Validated

Advisory :
« This packages provides a fix for CVE-2011-2725 in ark where the previewer
dialog would show (and then remove) the wrong file when a maliciously crafted
archive had a file previewed.»

SRPM: kdeutils4-4.6.5-1.1.mga1.src.rpm

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2011-10-20 17:59:19 CEST 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED