[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file

Why did the kde4libs amd64 build in ubuntu-security-proposed fail? It built fine in my ppa. my ppa: https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+packages https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+build/12070850 ubuntu-security-proposed build:

[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file

debdiff for kde4libs in xenial is attached. ** Attachment added: "kde4libs-xenial-debdiff" https://bugs.launchpad.net/ubuntu/+source/kio/+bug/1668871/+attachment/4829903/+files/kde4libs-xenial-debdiff ** Changed in: kio (Ubuntu Xenial) Status: New => Confirmed ** Changed in: kde4libs

[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file

debdiff for kio in xenial is attached. ** Attachment added: "kio-xenial-debdiff" https://bugs.launchpad.net/ubuntu/+source/kio/+bug/1668871/+attachment/4829901/+files/kio-xenial-debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to

[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file

** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2017-6410 -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu. https://bugs.launchpad.net/bugs/1668871 Title: kio: Information Leak when accessing https when

[Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file

** Changed in: kde4libs (Ubuntu Zesty) Status: New => Confirmed ** Changed in: kio (Ubuntu Zesty) Status: New => Confirmed -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu.

[Bug 1668552] Re: KDE Project Security Advisory: ktnef: Directory Traversal

debdiff for ktnef in xenial is attached. kdepim also needs to patched both in xenial and trusty. ** Attachment added: "ktnef-xenial-debdiff" https://bugs.launchpad.net/ubuntu/+source/ktnef/+bug/1668552/+attachment/4829858/+files/ktnef-xenial-debdiff -- You received this bug notification

[Bug 1893465] [NEW] KDE Project Security Advisory: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.

*** This bug is a security vulnerability *** Public security bug reported: I have included a debdiff imported from upstream for the below security advisory for ark. I have tested the patch in ppa with the sample archive issued in the advisory and can confirm it works without any noticeable

[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.

I have tested steve's focal build from security-proposed and was able to succesfully validate the fix i.e. warning for the PoC. I have attached a screenshot of the warning when trying to open the PoC ** Attachment added: "ark_fix_test.png"

[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.

Code went through a major refactor after xenial to integrate with updated Qt. See https://phabricator.kde.org/T2704 The refactor for this function was -void Job::onEntry(const ArchiveEntry & archiveEntry) +void Job::onEntry(Archive::Entry *entry) { -emit newEntry(archiveEntry); +emit