Your message dated Sun, 05 Jul 2026 19:50:23 +0000
with message-id <[email protected]>
and subject line Bug#1135179: fixed in kcoreaddons 5.116.0-2
has caused the Debian Bug report #1135179,
regarding kcoreaddons: CVE-2026-41526
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135179: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135179
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kf6-kcoreaddons
Version: 6.23.0-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 6.13.0-1
Control: clone -1 -2
Control: reassign -2 src:kcoreaddons 5.116.0-1
Control: found -2 5.103.0-1
Control: retitle -2 kcoreaddons: CVE-2026-41526
Hi,
The following vulnerability was published for kf6-kcoreaddons.
CVE-2026-41526[0]:
| In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to
| safely quote arguments so that they can be passed to a shell
| command. This parsing does not adequately handle metacharacters,
| leading to an escape from the shell. All applications relying on
| this method in a security-critical path to handle user input are
| affected and could be exploited. In particular, because sendInput()
| sends a string to a terminal, a control character such as \x01 can
| be used during injection.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41526
https://www.cve.org/CVERecord?id=CVE-2026-41526
[1]
https://invent.kde.org/frameworks/kcoreaddons/-/commit/447250fb061d6a866eeef9ae3c21b627244b198a
[2] https://kde.org/info/security/advisory-20260427-1.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kcoreaddons
Source-Version: 5.116.0-2
Done: Pino Toscano <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kcoreaddons, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pino Toscano <[email protected]> (supplier of updated kcoreaddons package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Jul 2026 20:52:01 +0200
Source: kcoreaddons
Architecture: source
Version: 5.116.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <[email protected]>
Changed-By: Pino Toscano <[email protected]>
Closes: 1135179
Changes:
kcoreaddons (5.116.0-2) unstable; urgency=medium
.
* Team upload.
* CI: update/simplify configuration.
* Drop Rules-Requires-Root: no, no more needed since Debian trixie.
* Drop Priority: optional, not needed anymore since dpkg 1.22.13.
* Bump Standards-Version to 4.7.4, no changes required.
* Modernize building:
- add the dh-sequence-kf5 build dependency to use the kf5 addon
automatically
- add the dh-sequence-pkgkde-symbolshelper build dependency to use the
pkgkde_symbolshelper automatically
- drop the pkg-kde-tools build dependency, no more explicitly needed
- drop all the manually specified addons and buildsystem for dh
* Replace FSF postal address with a reference to
https://www.gnu.org/licenses/.
* Upgrade upstream signing key to new packet format.
* Remove an obsolete maintscript entry.
* Drop Breaks/Replaces for versions older than what is in Debian Bookworm.
* Drop the 'acc' autopkgtest, no more useful now.
* Stop shipping the upstream README.md in libkf5coreaddons-data, as it is
not much useful.
* Backport upstream commit 6153c9ae025fa570174bb4a143df38fa2f46606b and adapt
it to Qt 5 to fix CVE-2026-41526; patch
Remove-control-characters-when-quoting-args.patch. (Closes: #1135179)
* Replace the watch file with a v5 "untrackable" one.
Checksums-Sha1:
2423492876f113bbb85d1bbdf6a9e207bdba2ee8 2877 kcoreaddons_5.116.0-2.dsc
45217be8befda79d27b042faa7ab8cbb46b2e8a0 19936
kcoreaddons_5.116.0-2.debian.tar.xz
72fa3a746da88a72c205f75f46f77d49c3994bcf 11567
kcoreaddons_5.116.0-2_source.buildinfo
Checksums-Sha256:
0909c6332a0f726645d9956041d294d7255e8e26ad9a534c7ed7b6d271cf7c27 2877
kcoreaddons_5.116.0-2.dsc
e1c8ce6102f83a3ac264f9026cb8728a3e2d05a8280cdbabb929fc4c88438aac 19936
kcoreaddons_5.116.0-2.debian.tar.xz
35cd4a35a6df9706041bb331f21c93180c183893c64ef76c42ea4242a51356d6 11567
kcoreaddons_5.116.0-2_source.buildinfo
Files:
f0863f5ad62ffa0b0cfe87b6c670900f 2877 libs optional kcoreaddons_5.116.0-2.dsc
f7f5ac1d2e4927dc846abf146901d018 19936 libs optional
kcoreaddons_5.116.0-2.debian.tar.xz
c0510dccb72eb7b77fcbc0907370f01d 11567 libs optional
kcoreaddons_5.116.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAmpKqBIACgkQLRkciEOx
P003CQ//eVibSBbDQQNvcud1/Blt3TboO+y4BVYjhGjP5m1Ihz5LsRjBkONaemlN
D0JU0GfQkiV+avM9thzxOymOSOiRa+3g5Rfu6KUx9wbUBwWzShfj6xvkI7kITU/B
S8HtL0CnsrCX0AnyWns4Sp9fZX2DfYXf8jzDdjwJO/zPY7tD8nhCw3iGOnGug0ru
5vw5FKlkOM36a/HDOqtu1sjSfIxnjHy6UrNokhNQT4WbiMsLLE3I0ZQ8q2CZrCeB
Ga48COKzVLbkQCam81b3oYwuLR+RKhDXMVXwkHryL2ujnWGLL8BaoZCsCUPUsjWQ
r3pzjpgVVedqwvMAWY1zi6VRIeAl6Y1SrFvKwej/xSd+1+1wNLSedAMJU2UINauu
j8OH4s3/64lQJFLiPahqiVKvaK640EJ37w1gnTHzWNPxXYvGZhUFASHfT5tci0hg
xnNqIsxZkwrQ3OFDc03h2rYlavcFCjjCXwo6SdNnrcrjUsoXCfHj43xKleMPlVi5
DmDDCVflhNRAaWRkZKZ25lI9ZXOetXwHNaVSMnfA0meXJJSldAHKpOFPo1Qo0CUZ
tEMreo7NipzuyiyeEqg3ON79TX5rqcJdUQM7nDgmjELn3D5kFqy36iadbjjGvxI4
n0xja4BQzt227p0Upofe4dxSOspnM0ablgFq4WSJAkmlhPGgbyE=
=zgGC
-----END PGP SIGNATURE-----
pgppNcNaAQgTG.pgp
Description: PGP signature
--- End Message ---