diff -u kdenetwork-4.3.5/debian/changelog kdenetwork-4.3.5/debian/changelog
--- kdenetwork-4.3.5/debian/changelog
+++ kdenetwork-4.3.5/debian/changelog
@@ -1,3 +1,12 @@
+kdenetwork (4:4.3.5-0ubuntu1~karmic2) karmic-backports; urgency=low
+
+  * SECURITY UPDATE: file name directory traversal attack (LP: #578856).
+   - Add debian/patches/kubuntu_01_kget_CVE-2010-1000.diff
+   - kget/ui/metalinkcreator/metalinker.cpp check filename is valid
+   - CVE-2010-1000, SA39528
+
+ -- Jonathan Riddell <jriddell@ubuntu.com>  Wed, 12 May 2010 10:23:07 +0100
+
 kdenetwork (4:4.3.5-0ubuntu1~karmic1) karmic-backports; urgency=low
 
   * New upstream release
only in patch2:
unchanged:
--- kdenetwork-4.3.5.orig/debian/patches/kubuntu_01_kget_CVE-2010-1000.diff
+++ kdenetwork-4.3.5/debian/patches/kubuntu_01_kget_CVE-2010-1000.diff
@@ -0,0 +1,16 @@
+Index: kget/transfer-plugins/metalink/metalinker.cpp
+===================================================================
+--- a/kget/transfer-plugins/metalink/metalinker.cpp	(revision 1125529)
++++ b/kget/transfer-plugins/metalink/metalinker.cpp	(working copy)
+@@ -41,6 +41,11 @@
+         QDomNode file = files.item(i);
+         MlinkFileData data;
+         data.fileName = file.toElement().attribute("name");
++        if (data.fileName.contains(QRegExp("$(\\.\\.?)?/")) || data.fileName.contains("/../") || data.fileName.endsWith("/..")) {
++            kDebug(5001) << "invalid filename containing directory traversal";
++            fileData.clear();
++            break;
++        }
+         kDebug(5001) << "filename: "<< data.fileName;
+ 
+         QDomNodeList hashes = file.toElement().