-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 02 Jul 2007 13:10:10 -0500 Source: kvirc Binary: kvirc-dev kvirc-data kvirc Architecture: sparc_translations sparc Version: 2:3.2.4-5ubuntu1.1 Distribution: feisty-security Urgency: low Maintainer: Ubuntu/sparc Build Daemon Changed-By: Richard A. Johnson Description: kvirc - KDE based next generation IRC client with module support kvirc-dev - Development files for KVIrc Launchpad-Bugs-Fixed: 123037 Changes: kvirc (2:3.2.4-5ubuntu1.1) feisty-security; urgency=low . * SECURITY UPDATE: parseIrcUrl() do not properly sanitize parts of the URI when building the command for KVIrc's internet script system. This can be exploited to inject and execute commands for the KVIrc script system (including the "run" command, which can be leveraged to execute shell commands) by e.g. tricking a user into opening a specially crafted "irc://" or similar URI. * Add debian/patches/10_parseIrcUrl_security_fix.patch: properly sanitizes URI strings, as done in upstream SVN. (Fixes LP: #123037) * References: - http://www.kvirc.net/?id=news&story=2007.06.29.22.00.1.story&dir=latest - http://secunia.com/secunia_research/2007-56/advisory/ - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2951 - https://svn.kvirc.de/kvirc/changeset/630/#file3 (fix to kvi_ircurl.cpp) * Add debian/control: Debian Maintainer Field Files: 1a7b20284e7ca833577b60d25fdf2562 2389563 raw-translations - kvirc_3.2.4-5ubuntu1.1_sparc_translations.tar.gz 284cde43946202f8393c0b9344df67dd 3154410 net optional kvirc_3.2.4-5ubuntu1.1_sparc.deb c0abc57157228b310d4746a37d3a9d76 374472 devel optional kvirc-dev_3.2.4-5ubuntu1.1_sparc.deb Original-Maintainer: Robin Verduijn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFGiqSf0N0xjzyQZEIRAj0/AJ9NpUTmO/8nP02MF0G6bGarB/lcQACfdJ8a X/kmATuQ74k1aC0R7I79oEQ= =oFlH -----END PGP SIGNATURE-----