[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
This bug was fixed in the package ark - 4:15.12.3-0ubuntu1.1 --- ark (4:15.12.3-0ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: Stop running executables when opening urls (LP: #1655507) - debian/patches/00_disable_open_functionality.patch - CVE-2017-5530 -- Clive JohnstonWed, 11 Jan 2017 16:42:19 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
This bug was fixed in the package ark - 4:16.04.3a-0ubuntu2.2 --- ark (4:16.04.3a-0ubuntu2.2) yakkety-security; urgency=medium * SECURITY UPDATE:unintended execution of scripts and executable files - debian/patches/no-exec-during-url-open.patch - Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for fixing this issue. - CVE-2017-5330 - fixes (LP: #1655507) -- Vishnu Vardhan Reddy NainiThu, 19 Jan 2017 03:10:04 +0530 ** Changed in: ark (Ubuntu Yakkety) Status: In Progress => Fix Released ** Changed in: ark (Ubuntu Xenial) Status: Confirmed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2017-5530 -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to ark in Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
** Changed in: ark (Ubuntu Yakkety) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
** Changed in: ark (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
On 20/01/17 03:42, Simon Quigley wrote: > I'm marking this as Fix Committed in Zesty, and if someone could mark > this as Fix Released once it gets through to zesty-release, that would > be great. Looks like someone forgot to put this bug number in the > changelog. I did, thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
KDE Applications 16.12.1 seems to be uploaded to Zesty (excluding PIM) and it includes Ark 16.12.1, which has this fix baked in. https://launchpad.net/ubuntu/+source/ark/4:16.12.1-0ubuntu1 I'm marking this as Fix Committed in Zesty, and if someone could mark this as Fix Released once it gets through to zesty-release, that would be great. Looks like someone forgot to put this bug number in the changelog. ** Changed in: ark (Ubuntu Zesty) Status: Confirmed => Fix Committed ** Description changed: KDE Project Security Advisory = Title: Ark: unintended execution of scripts and executable files Risk Rating:Important - CVE:TODO - Platforms: TODO + CVE:CVE-2017-5330 Versions: ark >= 15.12 Author: Elvis Angelaccio- Date: TODO + Date: 12 January 2017 Overview Through a (possibly malicious) tar archive that contains an executable shell script or binary, it was possible to execute arbitrary code on target machines. KRun::runUrl() has a runExecutable argument which defaults to true. Ark was using this default value and was also not checking whether an extracted file was executable before passing it to the runUrl() function. Impact == An attacker can send legitimate tar archives with executable scripts or binaries disguised as normal files (say, with README or LICENSE as filenames). The attacker then can trick a user to select those files and click the Open button in the Ark toolbar, which triggers the affected code. Workaround == - Don't use the Open functionality of Ark. + Don't use the File -> Open functionality of Ark. + You can still open archives (Archive->Open) and extract them. Solution Update to Ark >= 16.12.1 For older releases of Ark, apply the following patches: Applications/16.08 branch: https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3 Applications/16.04 branch: https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776 Applications/15.12 branch: https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b Credits === Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for fixing this issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
New debdiff.patch that conforms ubuntu security sponsorship procedures ** Patch added: "debdiff.patch" https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4806031/+files/debdiff.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
Subscribing ubuntu-security-sponsors so this gets looked at. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
On 17/01/17 08:52, visred wrote: > I tested it and no problems on yakkety. I was trying to send a merge > proposal but I am unable to find the bzr branch. > > Although ark is present at lp:ark , bzr can't pull from there for some > reason. Tried using git too. Still can't find the branch. Here: https://code.launchpad.net/~kubuntu-packagers/kubuntu-packaging/+git/ark -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
I tested it and no problems on yakkety. I was trying to send a merge proposal but I am unable to find the bzr branch. Although ark is present at lp:ark , bzr can't pull from there for some reason. Tried using git too. Still can't find the branch. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2017-5330 ** Changed in: ark (Ubuntu Xenial) Status: Incomplete => Confirmed ** Changed in: ark (Ubuntu Yakkety) Status: Incomplete => Confirmed ** Changed in: ark (Ubuntu Zesty) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to ark in Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
I am including a debdiff for yakkety Clive if you want I can build it in my ppa. I already started building for yakkety. Please test it and sponsor these diffs https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+packages ** Attachment added: "debdiff-yakkety" https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4805298/+files/debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
I have a debdiff for Xenial, but due to my lack of resources (pathetic slow internet and old system) I can't test it. https://launchpad.net/~kubuntu- ninjas/+archive/ubuntu/ppa/+packages?field.name_filter=ark_filter=published_filter= ** Patch added: "ark_15.12.3-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4802947/+files/ark_15.12.3-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to ark in Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Changed in: ark (Ubuntu) Status: New => Incomplete ** Changed in: ark (Ubuntu Xenial) Status: New => Incomplete ** Changed in: ark (Ubuntu Yakkety) Status: New => Incomplete ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs