oss-sec mailing list archives

Re: ark vulnerability: need CVE

From: <cve-assign () mitre org>
Date: Mon, 9 Jan 2017 22:58:27 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The problem is that the "Open" functionality of ark would run shell scripts,
this is quite unexpected.

The title for the advisory we're preparing is
  Ark: unintended execution of scripts and executable files

https://cgit.kde.org/ark.git/commit/?id=82fdfd24d46966a117fa625b68784735a40f9065

Stop running executables when opening urls
This is a security risk because it's not clear when an entry in an archive is an executable.
BUG: 374572
FIXED-IN: 16.12.1 

part/part.cpp


Use CVE-2017-5330.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYdFt9AAoJEHb/MwWLVhi2O1cP/j2jfRgKsZmXXe0W8jJ6E7Kv
cIWbn9rinS+2a+EpZFPBapmQlLEgG9ONtne7HxEZcotGaG8R3Mxe10S02tsfs2JO
CV8gAddvtB5KPAhRwca+A67ZyTQNT9Dci7tirO2ybyEFd5yeUw+QDSSJ86ccr2PZ
HxKbHvK6u0F1LTU9mvdZA7pEdK/SJkNirX3xZN8O+EFr0IAi2ZY/ddOB2XRg+SXI
37/sLuoLytE0XzZpzQd88xkA/zh7U7BNwmIoDO3Lkl4AnbJVg2Onq/UsjNomZL2o
HJcKrMmN1iexeIUHbu7Td8S9gZO4cOXstPlhtyczR4gFcck3aS1XJqGDRXJPskGW
dSgVQIVzjGEDoTGTmtj2R1aBKl2D4clQuI6XTlnxoCFnJVIBvTsJYJrMpu2GwM1i
zzHPkCPQrkP1o5Q7D6JY8QgHyeUFxYDgYZSYfwY9EQb2sApryLu1sWJU508PlRpF
Db8TqayWIv43/W7A3+GYvqJgV2W5aqmC6g3K4twPgf7hutkClXdAKFScfrnPj6Vl
fLEdkClmCOPnTzxf1p/+T0wdSoZpSXeEdHDqp114K+sUm2E40AngsiUKwLpOsVq/
eYGRsiimFoFD3Q5y1W6qMkx3bxUohBVGm4kLwTtTEyS9Wxj6BGbNif4rmoImqAkq
QL8FSCznwEMU4rixmDum
=tetf
-----END PGP SIGNATURE-----

Current thread:

ark vulnerability: need CVE Albert Astals Cid (Jan 09)
- Re: ark vulnerability: need CVE cve-assign (Jan 09)