-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 02 Jul 2007 13:14:30 -0500
Source: kvirc
Binary: kvirc-dev kvirc-data kvirc
Architecture: amd64_translations amd64
Version: 2:3.2.0-5ubuntu1.1
Distribution: dapper-security
Urgency: low
Maintainer: Ubuntu/amd64 Build Daemon <buildd@king.buildd>
Changed-By: Richard A. Johnson <nixternal@ubuntu.com>
Description: 
 kvirc      - KDE based next generation IRC client with module support
 kvirc-dev  - Development files for KVIrc
Changes: 
 kvirc (2:3.2.0-5ubuntu1.1) dapper-security; urgency=low
 .
   * SECURITY UPDATE: parseIrcUrl() do not properly sanitize parts of the URI
     when building the command for KVIrc's internet script system. This can
     be exploited to inject and execute commands for the KVIrc script system
     (including the "run" command, which can be leveraged to execute shell
     commands) by e.g. tricking a user into opening a specially crafted
     "irc://" or similar URI.
   * Add debian/patches/09_parseIrcUrl_security_fix.patch: propery sanitizes
     URI strings, as done in upstream SVN. (Fixes LP: #123037)
   * References:
     - http://www.kvirc.net/?id=news&story=2007.06.29.22.00.1.story&dir=latest
     - http://secunia.com/secunia_research/2007-56/advisory/
     - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2951
     - https://svn.kvirc.de/kvirc/changeset/630/#file3 (fix to kvi_ircurl.cpp)
Files: 
 8ec99306869ac228c9aefeec0d75fda8 2607528 net optional kvirc_3.2.0-5ubuntu1.1_amd64.deb
 25574779166caf464f8c89e9d3fe3188 341572 devel optional kvirc-dev_3.2.0-5ubuntu1.1_amd64.deb
 4cbfb812bbf94f4fdf5cd2c9c0e39091 1421406 raw-translations - kvirc_3.2.0-5ubuntu1.1_amd64_translations.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFGisgS0N0xjzyQZEIRAsApAKCFlDydc0FrVM+fspUWzlQu+FHiNwCeJXfq
3rG/ov2oGm0exZ9p9GUuZ+0=
=QFhz
-----END PGP SIGNATURE-----