Format: 1.7
Date: Mon, 02 Jul 2007 13:16:11 -0500
Source: kvirc
Binary: kvirc-dev kvirc-data kvirc
Architecture: amd64_translations amd64
Version: 2:3.2.4-5ubuntu2
Distribution: autobuild
Urgency: low
Maintainer: Ubuntu/amd64 Build Daemon <buildd@yellow.buildd>
Changed-By: Richard A. Johnson <nixternal@ubuntu.com>
Description: 
 kvirc      - KDE based next generation IRC client with module support
 kvirc-dev  - Development files for KVIrc
Launchpad-Bugs-Fixed: 123037
Changes: 
 kvirc (2:3.2.4-5ubuntu2) gutsy; urgency=low
 .
   * SECURITY UPDATE: parseIrcUrl() do not properly sanitize parts of the URI
     when building the command for KVIrc's internet script system. This can
     be exploited to inject and execute commands for the KVIrc script system
     (including the "run" command, which can be leveraged to execute shell
     commands) by e.g. tricking a user into opening a specially crafted
     "irc://" or similar URI.
   * Add debian/patches/10_parseIrcUrl_security_fix.patch: properly sanitizes
     URI strings, as done in upstream SVN. (Fixes LP: #123037)
   * References:
     - http://www.kvirc.net/?id=news&story=2007.06.29.22.00.1.story&dir=latest
     - http://secunia.com/secunia_research/2007-56/advisory/
     - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2951
     - https://svn.kvirc.de/kvirc/changeset/630/#file3 (fix to kvi_ircurl.cpp)
   * Add debian/control: Debian Maintainer Field
Files: 
 6fd66ea7bdd271552d8b8114b5b59b5e 2389527 raw-translations - kvirc_3.2.4-5ubuntu2_amd64_translations.tar.gz
 e4ea36df7694a37a2967c051cc5cc989 3298766 net optional kvirc_3.2.4-5ubuntu2_amd64.deb
 4e280cc8c58368b1efe034e2701f9168 375222 devel optional kvirc-dev_3.2.4-5ubuntu2_amd64.deb
Original-Maintainer: Robin Verduijn <robin@debian.org>