security bug in kget
Bug #578856 reported by
Jonathan Riddell
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kdenetwork (Ubuntu) |
Fix Released
|
High
|
Jonathan Riddell | ||
Jaunty |
Fix Released
|
High
|
Jonathan Riddell | ||
Karmic |
Fix Released
|
High
|
Jonathan Riddell | ||
Lucid |
Fix Released
|
High
|
Jonathan Riddell | ||
Maverick |
Fix Released
|
High
|
Jonathan Riddell |
Bug Description
Binary package hint: kdenetwork
Secunia has assigned SA39528 to it; CVE-2010-1000 is also assigned to it.
Secunia Research has discovered a vulnerability in KDE KGet,
which can be exploited by malicious people to compromise a user's
system.
The "name" attribute of the "file" element of metalink files is not
properly sanitised before being used to download files. If a user is
tricked into downloading from a specially crafted metalink file, this
can be exploited to download files to directories outside of the
intended download directory via directory traversal attacks.
Changed in kdenetwork (Ubuntu Maverick): | |
status: | Fix Committed → Triaged |
Changed in kdenetwork (Ubuntu Lucid): | |
importance: | Medium → High |
Changed in kdenetwork (Ubuntu Maverick): | |
importance: | Medium → High |
Changed in kdenetwork (Ubuntu Jaunty): | |
importance: | Medium → High |
Changed in kdenetwork (Ubuntu Karmic): | |
importance: | Medium → High |
visibility: | private → public |
tags: | added: patch |
To post a comment you must log in.
TEST CASE: download attached metalink file with kget. 4.4.2-0ubuntu4 will download to /tmp. 4.4.2-0ubuntu4.1 will complain that it's an invalid file and refuse to download