** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Multiple vulnerabilities have been discovered in Xpdf as shipped in * app-office/kword * app-office/koffice * kde-base/kpdf * kde-base/kdegraphics Please find Xpdf patches in the blocking bug.
Hi, i would love to help, but i dont have the kde3 for testing the patches i will took the liberty and cc tampakrap whom actualy can do the testing etc. i am maintaining only kde4 version of koffice
embargo has been pushed back to 2009-04-16. I am not sure kde upstream is in the loop for this already.
KDE herd, please provide updates to the supported KDE 3.5 ebuilds: ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl3.patch
Why is this blocking bug 245954 ? Is it fixed in 3.5.10? If it is not, please apply fixes. If stabilization of 3.5.10 is expected to take longer than 5 days from now, please also apply fixes to 3.5.9 so we can stable before that. This bug has been sitting without attention by the kde for too long.
Soryy for the long delay, i was very busy the last month and there is no other kde3 maintainer at the moment. I took care the security bugs yesterday. This weekend i'm going to finish with the major bugs of kde3 and go for stabilization. The patches partially failed for kword and kpdf (monolithic). I won't fix kdegraphics as monolithic kde3 ebuilds are going to be removed. I'll spend my afternoon on this and report back with a solution
Created attachment 192878 [details, diff] kde-Xpdf-JBIG2.patch KPDF port of xpdf-3.02pl3.patch
Created attachment 192879 [details, diff] kde-CVE-2009-1188.patch
kpdf-3.5.10-r1 in tree, it has the above patches, thank you very much for them :) kpdf-3.5.9 and kdegraphics-3.5.9 won't be fixed as they will be removed after 3.5.10 stabilization.
I have opened stabilization bug for kde 3.5.10, adding it in depend buglist
KDE 3 is not in tree any more. CC us again if you need anything. thanks
(In reply to comment #10) > KDE 3 is not in tree any more. CC us again if you need anything. thanks Looks like there's nothing to be stabilized anymore, should we make a decision about GLSA?
A2 needs a GLSA, read http://www.gentoo.org/security/en/vulnerability-policy.xml.
GLSA request filed.
Package long gone. noglsa.