Tim Brown discovered that Ark did not properly perform input validation when previewing archive files. If a user were tricked into opening a crafted archive file, an attacker could remove files via directory traversal. Updated packages are available from security.ubuntu.com.
========================================================================== Ubuntu Security Notice USN-1276-1 November 21, 2011 kdeutils vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: Ark could be made to remove files. Software Description: - kdeutils: KDE general-purpose utilities Details: Tim Brown discovered that Ark did not properly perform input validation when previewing archive files. If a user were tricked into opening a crafted archive file, an attacker could remove files via directory traversal. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: ark 4:4.7.1-0ubuntu3.1 Ubuntu 11.04: ark 4:4.6.5-0ubuntu1.2 Ubuntu 10.10: ark 4:4.5.5-0ubuntu2.2 Ubuntu 10.04 LTS: ark 4:4.4.5-0ubuntu1.2 After a standard system update you need to restart your session to make all the necessary changes. NOTE: In order to build KDE Utilities on Ubuntu 10.04 LTS, 10.10 and 11.04, it was necessary to rebuild portions of the KDE point release updates. References: http://www.ubuntu.com/usn/usn-1276-1 CVE-2011-2725 Package Information: https://launchpad.net/ubuntu/+source/kdeutils/4:4.7.1-0ubuntu3.1 https://launchpad.net/ubuntu/+source/kdeutils/4:4.6.5-0ubuntu1.2 https://launchpad.net/ubuntu/+source/kdeutils/4:4.5.5-0ubuntu2.2 https://launchpad.net/ubuntu/+source/kdeutils/4:4.4.5-0ubuntu1.2