Security Release Note: Fixed the security flaw which version 1.2.8 was supposed to, but did not, fix. The flaw enables any other local user to gain the privileges of the user running KDbg provided the other users can access the directory of the program being debugged. All versions of KDbg from 1.1.8 to 1.2.8, inclusive, including all development versions, are vulnerable. (copied from apps.kde.com) What's the gentoo policy - is KDE 2.x still supported? I'm asking, because the ebuild could support it, but I don't know how to do this. need-kde() doesn't support something like >=2 and the kde-functions.eclass doesn't export kde[minor/major] versions as distutils.eclass with $PYVER. btw.: Shouldn't be there a eclass variable naming agreement? $PYVER_MAJOR & $KDEMAJORVER isn't consistent. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 17288 [details] kdbg-1.2.9.ebuild
Dan: added you, because you are the author of kde-functions.eclass
Adding security so that they can file a GLSA if they deem it appropriate. Removing dan since he doesn't want bugs assigned to him anymore. The ebuild has been added - waiting for security team to make a move before resolving the bug.
Caleb: Sorry, I didn't know that Dan don't want to get bugs assigned. The questions remain... - is KDE 2.x still supported? - how about kde-functions.eclass / KDE version export - should I file an extra bug report? e.g. In #27401 I worked around this, comparing $KDEDIR with a hardcoded path, to distinct between KDE 3 and 3.x. But that's the way it should work.
We are not supporting kde 2 and only leaving it available in portage for posterity. I haven't been applying security fixes for it either. I suppose it will be taken out in the next few months. As far as the second part goes, I don't have a good answer. Your hacked solution in the pykde ebuild probably isn't the best, but if it works I say it's okay. If we need to make changes to the eclass, go ahead and file another bug.
this ebuild has been put in portage.
*** Bug 28153 has been marked as a duplicate of this bug. ***