subject:"\[Bug 1655507\] Re\: CVE\-2017\-5330 \- Ark\: unintended execution of scripts and executable files"

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-20 Thread Launchpad Bug Tracker

This bug was fixed in the package ark - 4:15.12.3-0ubuntu1.1

---
ark (4:15.12.3-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Stop running executables when opening urls (LP: #1655507)
- debian/patches/00_disable_open_functionality.patch
- CVE-2017-5530

 -- Clive Johnston   Wed, 11 Jan 2017 16:42:19
+

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-20 Thread Launchpad Bug Tracker

This bug was fixed in the package ark - 4:16.04.3a-0ubuntu2.2

---
ark (4:16.04.3a-0ubuntu2.2) yakkety-security; urgency=medium

  * SECURITY UPDATE:unintended execution of scripts and executable files
  - debian/patches/no-exec-during-url-open.patch
  - Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for 
fixing this issue.
  - CVE-2017-5330
  - fixes (LP: #1655507)

 -- Vishnu Vardhan Reddy Naini   Thu, 19 Jan
2017 03:10:04 +0530

** Changed in: ark (Ubuntu Yakkety)
   Status: In Progress => Fix Released

** Changed in: ark (Ubuntu Xenial)
   Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-5530

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to ark in Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
kubuntu-bugs mailing list
kubuntu-b...@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-20 Thread Emily Ratliff

** Changed in: ark (Ubuntu Yakkety)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-20 Thread Rik Mills

** Changed in: ark (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-20 Thread Rik Mills

On 20/01/17 03:42, Simon Quigley wrote:
> I'm marking this as Fix Committed in Zesty, and if someone could mark
> this as Fix Released once it gets through to zesty-release, that would
> be great. Looks like someone forgot to put this bug number in the
> changelog.

I did, thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-19 Thread Simon Quigley

KDE Applications 16.12.1 seems to be uploaded to Zesty (excluding PIM)
and it includes Ark 16.12.1, which has this fix baked in.
https://launchpad.net/ubuntu/+source/ark/4:16.12.1-0ubuntu1

I'm marking this as Fix Committed in Zesty, and if someone could mark
this as Fix Released once it gets through to zesty-release, that would
be great. Looks like someone forgot to put this bug number in the
changelog.

** Changed in: ark (Ubuntu Zesty)
   Status: Confirmed => Fix Committed

** Description changed:

  KDE Project Security Advisory
  =
  
  Title:  Ark: unintended execution of scripts and executable files
  Risk Rating:Important
- CVE:TODO
- Platforms:  TODO
+ CVE:CVE-2017-5330
  Versions:   ark >= 15.12
  Author: Elvis Angelaccio 
- Date:   TODO
+ Date:   12 January 2017
  
  Overview
  
  
  Through a (possibly malicious) tar archive that contains an
  executable shell script or binary, it was possible to execute
  arbitrary code on target machines.
  KRun::runUrl() has a runExecutable argument which defaults to true.
  Ark was using this default value and was also not checking
  whether an extracted file was executable before passing it to the
  runUrl() function.
  
  Impact
  ==
  
  An attacker can send legitimate tar archives with executable scripts or
  binaries disguised as normal files (say, with README or LICENSE as filenames).
  The attacker then can trick a user to select those files and click
  the Open button in the Ark toolbar, which triggers the affected code.
  
  Workaround
  ==
  
- Don't use the Open functionality of Ark.
+ Don't use the File -> Open functionality of Ark.
+ You can still open archives (Archive->Open) and extract them.
  
  Solution
  
  
  Update to Ark >= 16.12.1
  
  For older releases of Ark, apply the following patches:
  
  Applications/16.08 branch: 
https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3
  Applications/16.04 branch: 
https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776
  Applications/15.12 branch: 
https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b
  
  Credits
  ===
  
  Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for
  fixing this issue.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-18 Thread visred

New debdiff.patch that conforms ubuntu security sponsorship procedures

** Patch added: "debdiff.patch"
   
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4806031/+files/debdiff.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-17 Thread Marc Deslauriers

Subscribing ubuntu-security-sponsors so this gets looked at.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-17 Thread Rik Mills

On 17/01/17 08:52, visred wrote:
> I tested it and no problems on yakkety. I was trying to send a merge
> proposal but I am unable to find the bzr branch.
> 
> Although ark is present at lp:ark , bzr can't pull from there for some
> reason. Tried using git too. Still can't find the branch.

Here:
https://code.launchpad.net/~kubuntu-packagers/kubuntu-packaging/+git/ark

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-17 Thread visred

I tested it and no problems on yakkety. I was trying to send a merge
proposal but I am unable to find the bzr branch.

Although ark is present at lp:ark , bzr can't pull from there for some
reason. Tried using git too. Still can't find the branch.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-5330

** Changed in: ark (Ubuntu Xenial)
   Status: Incomplete => Confirmed

** Changed in: ark (Ubuntu Yakkety)
   Status: Incomplete => Confirmed

** Changed in: ark (Ubuntu Zesty)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to ark in Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
kubuntu-bugs mailing list
kubuntu-b...@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-17 Thread visred

I am including a debdiff for yakkety

Clive if you want I can build it in my ppa. I already started building
for yakkety. Please test it and sponsor these diffs
https://launchpad.net/~visred/+archive/ubuntu/rel-ppa/+packages

** Attachment added: "debdiff-yakkety"
   
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4805298/+files/debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-11 Thread Ubuntu Foundations Team Bug Bot

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-11 Thread Clive Johnston

I have a debdiff for Xenial, but due to my lack of resources (pathetic
slow internet and old system) I can't test it.

https://launchpad.net/~kubuntu-
ninjas/+archive/ubuntu/ppa/+packages?field.name_filter=ark_filter=published_filter=

** Patch added: "ark_15.12.3-0ubuntu1.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+attachment/4802947/+files/ark_15.12.3-0ubuntu1.1.debdiff

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to ark in Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
kubuntu-bugs mailing list
kubuntu-b...@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

2017-01-10 Thread Seth Arnold

Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is available, members of the security team will review it and
publish the package. See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

** Changed in: ark (Ubuntu)
   Status: New => Incomplete

** Changed in: ark (Ubuntu Xenial)
   Status: New => Incomplete

** Changed in: ark (Ubuntu Yakkety)
   Status: New => Incomplete

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

Re: [Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

Re: [Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

14 matches

Site Navigation

Mail list logo

Footer information