-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 02 Jul 2007 13:10:10 -0500 Source: kvirc Binary: kvirc-dev kvirc-data kvirc Architecture: powerpc_translations powerpc Version: 2:3.2.4-5ubuntu1.1 Distribution: feisty-security Urgency: low Maintainer: Ubuntu/powerpc Build Daemon Changed-By: Richard A. Johnson Description: kvirc - KDE based next generation IRC client with module support kvirc-dev - Development files for KVIrc Launchpad-Bugs-Fixed: 123037 Changes: kvirc (2:3.2.4-5ubuntu1.1) feisty-security; urgency=low . * SECURITY UPDATE: parseIrcUrl() do not properly sanitize parts of the URI when building the command for KVIrc's internet script system. This can be exploited to inject and execute commands for the KVIrc script system (including the "run" command, which can be leveraged to execute shell commands) by e.g. tricking a user into opening a specially crafted "irc://" or similar URI. * Add debian/patches/10_parseIrcUrl_security_fix.patch: properly sanitizes URI strings, as done in upstream SVN. (Fixes LP: #123037) * References: - http://www.kvirc.net/?id=news&story=2007.06.29.22.00.1.story&dir=latest - http://secunia.com/secunia_research/2007-56/advisory/ - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2951 - https://svn.kvirc.de/kvirc/changeset/630/#file3 (fix to kvi_ircurl.cpp) * Add debian/control: Debian Maintainer Field Files: b1ffa47544ec22cc2232f11a6bd8bad8 2389561 raw-translations - kvirc_3.2.4-5ubuntu1.1_powerpc_translations.tar.gz 4c1ee2a2b1f5123621469c81d34f7efa 3481946 net optional kvirc_3.2.4-5ubuntu1.1_powerpc.deb 8773dbcb32175edadfe45ccba23116fc 375396 devel optional kvirc-dev_3.2.4-5ubuntu1.1_powerpc.deb Original-Maintainer: Robin Verduijn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFGip9k0N0xjzyQZEIRAjnzAJ9kODb7XiyCl+NotFm6XZmQcCo4pACfXbCG YMxo2UWJIFFdu2xGdronjpo= =1vhc -----END PGP SIGNATURE-----