Bug 3122 - Update candidate for kdeutils4 fixing CV 2011-2725 for ark
Summary: Update candidate for kdeutils4 fixing CV 2011-2725 for ark
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: Mageia 1
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2011-10-20 11:58 CEST by John Balcaen
Modified: 2011-10-20 17:59 CEST (History)
3 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description John Balcaen 2011-10-20 11:58:55 CEST 
This package provides a fix for CVE-2011-2725 regarding ark.

Advisory :
« This packages provides a fix for CVE-2011-2725 in ark where the previewer dialog would show (and then remove) the wrong file when a maliciously crafted archive had a file previewed.»

SRPM: kdeutils4-4.6.5-1.1.mga1.src.rpm

x86_64 :
ark-4.6.5-1.1.mga1.x86_64.rpm                                                   filelight-4.6.5-1.1.mga1.x86_64.rpm
kcalc-4.6.5-1.1.mga1.x86_64.rpm
kcharselect-4.6.5-1.1.mga1.x86_64.rpm
kdeutils4-4.6.5-1.1.mga1.x86_64.rpm
kdeutils4-devel-4.6.5-1.1.mga1.x86_64.rpm
kdf-4.6.5-1.1.mga1.x86_64.rpm
kfloppy-4.6.5-1.1.mga1.x86_64.rpm
kgpg-4.6.5-1.1.mga1.x86_64.rpm
kremotecontrol-4.6.5-1.1.mga1.x86_64.rpm
ktimer-4.6.5-1.1.mga1.x86_64.rpm
kwallet-4.6.5-1.1.mga1.x86_64.rpm
lib64kerfuffle4-4.6.5-1.1.mga1.x86_64.rpm
lib64libkremotecontrol1-4.6.5-1.1.mga1.x86_64.rpm
lib64superkaramba4-4.6.5-1.1.mga1.x86_64.rpm
superkaramba-4.6.5-1.1.mga1.x86_64.rpm
sweeper-4.6.5-1.1.mga1.x86_64.rpm

i586
ark-4.6.5-1.1.mga1.i586.rpm                                                                                                                                                                                    
filelight-4.6.5-1.1.mga1.i586.rpm
kcalc-4.6.5-1.1.mga1.i586.rpm
kcharselect-4.6.5-1.1.mga1.i586.rpm
kdeutils4-4.6.5-1.1.mga1.i586.rpm
kdeutils4-devel-4.6.5-1.1.mga1.i586.rpm
kdf-4.6.5-1.1.mga1.i586.rpm
kfloppy-4.6.5-1.1.mga1.i586.rpm
kgpg-4.6.5-1.1.mga1.i586.rpm
kremotecontrol-4.6.5-1.1.mga1.i586.rpm
ktimer-4.6.5-1.1.mga1.i586.rpm
kwallet-4.6.5-1.1.mga1.i586.rpm
libkerfuffle4-4.6.5-1.1.mga1.i586.rpm
liblibkremotecontrol1-4.6.5-1.1.mga1.i586.rpm
libsuperkaramba4-4.6.5-1.1.mga1.i586.rpm
superkaramba-4.6.5-1.1.mga1.i586.rpm
sweeper-4.6.5-1.1.mga1.i586.rpm


Regards,
Comment 1 John Balcaen 2011-10-20 12:00:04 CEST 
QA should check that ark is still working after this patch :)

CC: (none) => balcaen.john
Target Milestone: --- => Mageia 1

Comment 2 claire robinson 2011-10-20 17:39:33 CEST 
Exploit instructions are here 

http://packetstormsecurity.org/files/105610/NDSA20110726.txt


i586:

Confirmed exploit and updated. 

Confirmed fix. Tested Ark with several file types.

All Ok.
Comment 3 claire robinson 2011-10-20 17:52:21 CEST 
Tested OK x86_64 too, various file types.

Update Validated

Advisory :
« This packages provides a fix for CVE-2011-2725 in ark where the previewer
dialog would show (and then remove) the wrong file when a maliciously crafted
archive had a file previewed.»

SRPM: kdeutils4-4.6.5-1.1.mga1.src.rpm

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2011-10-20 17:59:19 CEST 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.