Bug 1018648 – VUL-0: CVE-2017-5330: ark: does not handle executable scripts safely

Bug 1018648 - (CVE-2017-5330.) VUL-0: CVE-2017-5330: ark: does not handle executable scripts safely

(CVE-2017-5330.)
Summary:	VUL-0: CVE-2017-5330: ark: does not handle executable scripts safely

Status:	RESOLVED FIXED
Duplicates:	1018969 (view as bug list)

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 42.1
Hardware:	Other openSUSE 42.1

Priority:	P3 - Medium Severity: Major (vote)
Target Milestone:	Leap 42.2
Assigned To:	Security Team bot
QA Contact:	E-mail List

URL:	https://smash.suse.de/issue/178330/
Whiteboard:
Keywords:	security

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-01-06 22:26 UTC by Peter Linnell
Modified:	2017-05-28 19:15 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Community User
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Linnell 2017-01-06 22:26:24 UTC

See https://bugs.kde.org/show_bug.cgi?id=374572 for details and fix.

Comment 1 Fabian Vogt 2017-01-06 23:00:16 UTC

Patch backported and packages verified for 42.2 (sr 449043) and 42.1 (sr 449032).

Comment 2 Bernhard Wiedemann 2017-01-06 23:01:49 UTC

This is an autogenerated message for OBS integration:
This bug (1018648) was mentioned in
https://build.opensuse.org/request/show/449032 42.1 / ark
https://build.opensuse.org/request/show/449043 42.2 / ark

Comment 3 Bernhard Wiedemann 2017-01-07 01:00:42 UTC

This is an autogenerated message for OBS integration:
This bug (1018648) was mentioned in
https://build.opensuse.org/request/show/449044 Factory / ark

Comment 4 Bernhard Wiedemann 2017-01-07 23:00:30 UTC

This is an autogenerated message for OBS integration:
This bug (1018648) was mentioned in
https://build.opensuse.org/request/show/449106 Backports:SLE-12-SP1 / ark

Comment 5 Andreas Stieger 2017-01-10 08:10:29 UTC

*** Bug 1018969 has been marked as a duplicate of this bug. ***

Comment 6 Andreas Stieger 2017-01-10 08:11:29 UTC

http://seclists.org/oss-sec/2017/q1/45
https://cgit.kde.org/ark.git/commit/?id=82fdfd24d46966a117fa625b68784735a40f9065

Comment 7 Swamp Workflow Management 2017-01-16 18:10:17 UTC

openSUSE-SU-2017:0140-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1018648
CVE References: CVE-2017-5330
Sources used:
openSUSE Leap 42.2 (src):    ark-16.08.2-3.1
openSUSE Leap 42.1 (src):    ark-15.12.3-18.1

Comment 8 Swamp Workflow Management 2017-01-16 18:17:28 UTC

openSUSE-SU-2017:0150-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1018648
CVE References: CVE-2017-5330
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ark-15.12.3-8.1

Comment 9 Swamp Workflow Management 2017-03-28 13:11:13 UTC

openSUSE-RU-2017:0837-1: An update that has four recommended fixes can now be installed.

Category: recommended (low)
Bug References: 1015761,1016982,1018648,1020161
CVE References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ark-16.08.2-5.1, jsoncpp-1.7.4-5.1, kopete-16.08.2-5.1, mailcommon-16.08.2-5.1

Comment 10 Andreas Stieger 2017-05-28 19:15:13 UTC

done