'Re: [oss-security] CVE Request: incomplete fix for CVE-2010-1000 in'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: incomplete fix for CVE-2010-1000 in
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-04-15 18:52:34
Message-ID: 889145794.11829.1302893554457.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2011-1586

Thanks.

-- 
    JB



----- Original Message -----
> A bug was filed in Ubuntu[1] for patches[2][3] that went into KDE
> Network for an incomplete fix for CVE-2010-1000. The commit message
> is:
> 
> "Further addresses CVE-2010-1000. The file name of Metalink File is
> checked a better way, making it work under more conditions."
> 
> While the previous patch fixed things like '../../tmp/gotcha', it did
> not fix a single leading '../'.
> 
> [1]https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/757526
> [2]http://websvn.kde.org/?view=revision&revision=1227468 (4.4)
> [3]http://websvn.kde.org/?view=revision&revision=1227469 (4.5)
> 
> --
> Jamie Strandboge | http://www.canonical.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic