Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 264603 - KDE Xpdf JBIG2 Multiple vulnerabilities (CVE-2009-{0146,0147,0165,0166})
Summary: KDE Xpdf JBIG2 Multiple vulnerabilities (CVE-2009-{0146,0147,0165,0166})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [noglsa]
Keywords:
Depends on: CVE-2009-0146 271889
Blocks:
  Show dependency tree
 
Reported: 2009-04-02 10:49 UTC by Robert Buchholz (RETIRED)
Modified: 2013-10-06 16:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
kde-Xpdf-JBIG2.patch (kde-Xpdf-JBIG2.patch,26.38 KB, patch)
2009-05-29 12:26 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
kde-CVE-2009-1188.patch (kde-CVE-2009-1188.patch,496 bytes, patch)
2009-05-29 12:27 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 10:49:54 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Multiple vulnerabilities have been discovered in Xpdf as shipped in
* app-office/kword
* app-office/koffice
* kde-base/kpdf
* kde-base/kdegraphics

Please find Xpdf patches in the blocking bug.
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2009-04-02 11:30:26 UTC
Hi, i would love to help,
but i dont have the kde3 for testing the patches
i will took the liberty and cc tampakrap whom actualy can do the testing etc.

i am maintaining only kde4 version of koffice
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-04-04 12:26:41 UTC
embargo has been pushed back to 2009-04-16.

I am not sure kde upstream is in the loop for this already.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-04-25 12:43:05 UTC
KDE herd, please provide updates to the supported KDE 3.5 ebuilds:

ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl3.patch
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-05-28 09:05:42 UTC
Why is this blocking bug 245954 ? Is it fixed in 3.5.10? If it is not, please apply fixes. If stabilization of 3.5.10 is expected to take longer than 5 days from now, please also apply fixes to 3.5.9 so we can stable before that.

This bug has been sitting without attention by the kde for too long.
Comment 5 Theo Chatzimichos (RETIRED) archtester gentoo-dev Security 2009-05-28 15:28:58 UTC
Soryy for the long delay, i was very busy the last month and there is no other kde3 maintainer at the moment. I took care the security bugs yesterday. This weekend i'm going to finish with the major bugs of kde3 and go for stabilization. The patches partially failed for kword and kpdf (monolithic). I won't fix kdegraphics as monolithic kde3 ebuilds are going to be removed. I'll spend my afternoon on this and report back with a solution
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 12:26:32 UTC
Created attachment 192878 [details, diff]
kde-Xpdf-JBIG2.patch

KPDF port of xpdf-3.02pl3.patch
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 12:27:05 UTC
Created attachment 192879 [details, diff]
kde-CVE-2009-1188.patch
Comment 8 Theo Chatzimichos (RETIRED) archtester gentoo-dev Security 2009-05-29 15:50:39 UTC
kpdf-3.5.10-r1 in tree, it has the above patches, thank you very much for them :)
kpdf-3.5.9 and kdegraphics-3.5.9 won't be fixed as they will be removed after 3.5.10 stabilization.
Comment 9 Theo Chatzimichos (RETIRED) archtester gentoo-dev Security 2009-05-30 17:15:50 UTC
I have opened stabilization bug for kde 3.5.10, adding it in depend buglist
Comment 10 Theo Chatzimichos (RETIRED) archtester gentoo-dev Security 2010-01-23 15:19:13 UTC
KDE 3 is not in tree any more. CC us again if you need anything. thanks
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 11:49:38 UTC
(In reply to comment #10)
> KDE 3 is not in tree any more. CC us again if you need anything. thanks

Looks like there's nothing to be stabilized anymore, should we make a decision about GLSA?
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2011-01-10 19:05:17 UTC
A2 needs a GLSA, read http://www.gentoo.org/security/en/vulnerability-policy.xml.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 22:30:14 UTC
GLSA request filed.
Comment 14 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-06 16:10:26 UTC
Package long gone. noglsa.