Hi,
I've just made a high-priority upload for kdewebdev (1:3.3.2-6) to
unstable. The previous upload (-5) fixed a security hole in kommander
(CAN-2005-0754), but it was later realised by upstream that the patch
was not correct. The new upload (-6) fixes this.
The entire diff between -5 and -6 is included below. If you could
approve -6 for sarge it would be appreciated.
Thanks - Ben.
diff -u kdewebdev-3.3.2/kommander/executor/instance.cpp
kdewebdev-3.3.2/kommander/executor/instance.cpp
--- kdewebdev-3.3.2/kommander/executor/instance.cpp
+++ kdewebdev-3.3.2/kommander/executor/instance.cpp
@@ -147,7 +147,7 @@
bool inTemp = false;
for (QStringList::ConstIterator I = tmpDirs.begin(); I != tmpDirs.end(); ++I)
- if (m_uiFileName.directory().startsWith(*I))
+ if (m_uiFileName.directory(false).startsWith(*I))
inTemp = true;
if (inTemp)
diff -u kdewebdev-3.3.2/debian/changelog kdewebdev-3.3.2/debian/changelog
--- kdewebdev-3.3.2/debian/changelog
+++ kdewebdev-3.3.2/debian/changelog
@@ -1,3 +1,11 @@
+kdewebdev (1:3.3.2-6) unstable; urgency=high
+
+ * Security upload.
+ * Fixed the patch for CAN-2005-0754. The previous patch from 1:3.3.2-5 was
+ incorrect, and still allowed execution of files served from /tmp.
+
+ -- Ben Burton <[EMAIL PROTECTED]> Thu, 5 May 2005 14:32:03 +1000
+
kdewebdev (1:3.3.2-5) unstable; urgency=high
* Security upload.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
