Secure testing team - Jul 2011 - Bug#635541: ark: Directory traversal

Package: ark
Version: 4:4.6.5-2
Severity: grave
Tags: security

The following was reported on oss-security. There''s no CVE assignment
or any details yet:

---
Date: Mon, 25 Jul 2011 14:45:14 -0400
From: Jeff Mitchell <mitchell at kde.org>
Subject: [oss-security] CVE Request: Ark path traversal

Hello,

Ark contains a path traversal vulnerability allowing a
maliciously-crafted zip file to allow for an arbitrary file to be
displayed and, if the user has appropriate credentials, removed.

Can we please get a CVE for this?

Thanks,
Jeff
---

Could you contact upstream for details?

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ark depends on:
ii  kdebase-runtime               4:4.6.5-1  runtime components from the offici
ii  libarchive1                   2.8.4-1    Single library to read/write tar, 
ii  libc6                         2.13-10    Embedded GNU C Library: Shared lib
ii  libkdecore5                   4:4.6.5-2  KDE Platform Core Library
ii  libkdeui5                     4:4.6.5-2  KDE Platform User Interface Librar
ii  libkfile4                     4:4.6.5-2  File Selection Dialog Library for 
ii  libkhtml5                     4:4.6.5-2  KHTML Web Content Rendering Engine
ii  libkio5                       4:4.6.5-2  Network-enabled File Management Li
ii  libkonq5abi1                  4:4.6.5-1  core libraries for Konqueror
ii  libkparts4                    4:4.6.5-2  Framework for the KDE Platform Gra
ii  libkpty4                      4:4.6.5-2  Pseudo Terminal Library for the KD
ii  libqt4-dbus                   4:4.7.3-5  Qt 4 D-Bus module
ii  libqtcore4                    4:4.7.3-5  Qt 4 core module
ii  libqtgui4                     4:4.7.3-5  Qt 4 GUI module
ii  libstdc++6                    4.6.1-4    GNU Standard C++ Library v3

Versions of packages ark recommends:
ii  bzip2                    1.0.5-6         high-quality block-sorting file co
ii  p7zip-full               9.20.1~dfsg.1-2 7z and 7za file archivers with hig
ii  unzip                    6.0-5           De-archiver for .zip files
ii  zip                      3.0-4           Archiver for .zip files

Versions of packages ark suggests:
pn  rar                           <none>     (no description available)
pn  unrar | unrar-free            <none>     (no description available)

-- no debconf information