Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 155949
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
post-3.5.5-kdegraphics.diff post-3.5.5-kdegraphics.diff patch Sune Kloppenborg Jeppesen 2006-11-22 11:47 0000 5.20 KB Details | Diff
kdegraphics-kfile-plugins-3.5.5-r1.ebuild kdegraphics-kfile-plugins-3.5.5-r1.ebuild text/plain Diego E. 'Flameeyes' Pettenò 2006-11-22 12:19 0000 889 bytes Details
kdegraphics-3.5.5-r1.ebuild kdegraphics-3.5.5-r1.ebuild text/plain Diego E. 'Flameeyes' Pettenò 2006-11-22 12:21 0000 2.24 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 155949 depends on: Show dependency tree
Bug 155949 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-11-22 08:11 0000 
E Security Advisory: JPEG-EXIF File Information DoS vulnerability
Original Release Date: 2006-11-XX
URL: http://www.kde.org/info/security/advisory-200611XX-1.txt

0. References

        CVE-2006-FIXME


1. Systems affected:

        kdegraphics as shipped with KDE 3.1.0 up to including 3.5.5.

2. Overview:

        The JPEG kfile-info plugin, which is used in all KDE applications
        for showing image metainformation (for example the image size
        or EXIF embedded information) is vulnerable to a endless recursion
        EXIF parsing bug.  This particular issue was reported by Marcus
        Meissner from SUSE security.

3. Impact:

        On a regular Linux system, this can cause the process that launched
        the plugin to crash. If ulimits have been removed, it can cause the
        machine run out of memory.

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        A patch for KDE 3.1.0 - KDE 3.5.5 is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

        1ce5fb77aff8f97ed21da046c1385000  post-3.5.5-kdegraphics.diff

------- Comment #1 From Sune Kloppenborg Jeppesen 2006-11-22 11:47:31 0000 ------- 
Created an attachment (id=102561) [details]
post-3.5.5-kdegraphics.diff

------- Comment #2 From Diego E. 'Flameeyes' Pettenò 2006-11-22 12:19:44 0000 ------- 
Created an attachment (id=102565) [details]
kdegraphics-kfile-plugins-3.5.5-r1.ebuild

------- Comment #3 From Diego E. 'Flameeyes' Pettenò 2006-11-22 12:21:44 0000 ------- 
Created an attachment (id=102566) [details]
kdegraphics-3.5.5-r1.ebuild

------- Comment #4 From Matthias Geerdsen 2006-11-23 13:34:08 0000 ------- 
security liaisons, please test the ebuilds and report here if they can be
marked stable, do not commit anything yet

target keywords
kdegraphics: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
kdegraphics-kfile-plugins: "alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"

------- Comment #5 From Gustavo Zacarias (RETIRED) 2006-11-27 06:39:43 0000 ------- 
I'm getting consistent "The process for the file protocol died unexpectedly" on
kde startup with 3.5.5-r1.
Any hints on how to debug this?

------- Comment #6 From Markus Rothe 2006-12-04 13:21:18 0000 ------- 
this looks good on ppc64. I'm not getting the message from comment #5.

------- Comment #7 From Sune Kloppenborg Jeppesen 2006-12-05 00:59:30 0000 ------- 
Sorry for the delay. This one is public now. Please commit a fixed ebuild.

------- Comment #8 From Diego E. 'Flameeyes' Pettenò 2006-12-05 06:54:46 0000 ------- 
Ebuilds in tree, enjoy.

------- Comment #9 From Sune Kloppenborg Jeppesen 2006-12-05 22:03:51 0000 ------- 
Thx Diego.

Arches please test and mark stable. Target keywords are:

kdegraphics-kfile-plugins-3.5.5-r1.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64
sparc x86 ~x86-fbsd"

------- Comment #10 From Christian Faulhammer 2006-12-05 23:51:47 0000 ------- 
x86 done

------- Comment #11 From Markus Rothe 2006-12-06 00:16:37 0000 ------- 
ppc64 stable

------- Comment #12 From Bryan Østergaard (RETIRED) 2006-12-11 14:41:17 0000 ------- 
Stable on Alpha + ia64.

------- Comment #13 From Tobias Scherbaum 2006-12-16 05:52:05 0000 ------- 
kdegraphics and kdegraphics-kfile-plugins 3.5.5-r1 ppc stable.

Looks like kdegraphics has been forgotten ...

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-12-16 08:27:33 0000 ------- 
Thx for the pointer Tobias.

Adding back arches to mark kdegraphics-3.5.5-r1 stable.

------- Comment #15 From René Nussbaumer 2006-12-17 13:54:03 0000 ------- 
stable on hppa.

------- Comment #16 From Bryan Østergaard (RETIRED) 2006-12-17 15:54:01 0000 ------- 
kdegraphics-3.5.5-r1 stable on Alpha + ia64.

------- Comment #17 From Christian Faulhammer 2006-12-18 00:18:38 0000 ------- 
Stable on x86

------- Comment #18 From Markus Rothe 2006-12-18 12:21:12 0000 ------- 
ppc64 stable

------- Comment #19 From Diego E. 'Flameeyes' Pettenò 2006-12-18 18:20:42 0000 ------- 
AMD64 (or rather Intel64 ;)) done.

------- Comment #20 From Jason Wever (RETIRED) 2006-12-20 08:23:13 0000 ------- 
SPARC stable

------- Comment #21 From Raphael Marichez 2006-12-28 08:31:40 0000 ------- 
theorically we have to vote on this and i would vote for a GLSA, because kde is
so common and it's so easy to trigger... (nearly A3 IMHO in fact)

------- Comment #22 From Wolf Giesen (RETIRED) 2006-12-28 10:09:10 0000 ------- 
yes++

------- Comment #23 From Sune Kloppenborg Jeppesen 2006-12-28 10:51:16 0000 ------- 
Another YES vote.

------- Comment #24 From Raphael Marichez 2007-01-12 22:06:38 0000 ------- 
GLSA 200701-05
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug