oss-sec mailing list archives
CVE Request: incomplete fix for CVE-2010-1000 in KDE network
From: Jamie Strandboge <jamie () canonical com>
Date: Fri, 15 Apr 2011 08:44:49 -0500
A bug was filed in Ubuntu[1] for patches[2][3] that went into KDE Network for an incomplete fix for CVE-2010-1000. The commit message is: "Further addresses CVE-2010-1000. The file name of Metalink File is checked a better way, making it work under more conditions." While the previous patch fixed things like '../../tmp/gotcha', it did not fix a single leading '../'. [1]https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/757526 [2]http://websvn.kde.org/?view=revision&revision=1227468 (4.4) [3]http://websvn.kde.org/?view=revision&revision=1227469 (4.5) -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE Request: incomplete fix for CVE-2010-1000 in KDE network Jamie Strandboge (Apr 15)
- Re: CVE Request: incomplete fix for CVE-2010-1000 in KDE network Josh Bressers (Apr 15)