Source: ktexteditor Version: 5.90.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ktexteditor. CVE-2022-23853[0]: | The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 | and KTextEditor before 5.91.0 tries to execute the associated LSP | server binary when opening a file of a given type. If this binary is | absent from the PATH, it will try running the LSP server binary in the | directory of the file that was just opened (due to a misunderstanding | of the QProcess API, that was never intended). This can be an | untrusted directory. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-23853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23853 [1] https://kde.org/info/security/advisory-20220131-1.txt [2] https://commits.kde.org/ktexteditor/804e49444c093fe58ec0df2ab436565e50dc147e [3] https://commits.kde.org/ktexteditor/c80f935c345de2e2fb10635202800839ca9697bf Please adjust the affected versions in the BTS as needed. Regards, Salvatore