28220 2003-09-08 15:37 0000 security upd.: kdbg 1.2.9.ebuild 2003-09-15 23:49:24 0000 1 1 1 Unclassified Gentoo Linux KDE unspecified All Linux RESOLVED FIXED EBUILD P2 enhancement --- 1 carlo@gentoo.org kde@gentoo.org pythonhead@gentoo.org security@gentoo.org carlo@gentoo.org 2003-09-08 15:37:53 0000 Security Release Note: Fixed the security flaw which version 1.2.8 was supposed to, but did not, fix. The flaw enables any other local user to gain the privileges of the user running KDbg provided the other users can access the directory of the program being debugged. All versions of KDbg from 1.1.8 to 1.2.8, inclusive, including all development versions, are vulnerable. (copied from apps.kde.com) What's the gentoo policy - is KDE 2.x still supported? I'm asking, because the ebuild could support it, but I don't know how to do this. need-kde() doesn't support something like >=2 and the kde-functions.eclass doesn't export kde[minor/major] versions as distutils.eclass with $PYVER. btw.: Shouldn't be there a eclass variable naming agreement? $PYVER_MAJOR & $KDEMAJORVER isn't consistent. Reproducible: Always Steps to Reproduce: 1. 2. 3. carlo@gentoo.org 2003-09-08 15:38:25 0000 Created an attachment (id=17288) kdbg-1.2.9.ebuild carlo@gentoo.org 2003-09-08 16:51:37 0000 Dan: added you, because you are the author of kde-functions.eclass caleb@gentoo.org 2003-09-09 07:07:26 0000 Adding security so that they can file a GLSA if they deem it appropriate. Removing dan since he doesn't want bugs assigned to him anymore. The ebuild has been added - waiting for security team to make a move before resolving the bug. carlo@gentoo.org 2003-09-09 08:23:33 0000 Caleb: Sorry, I didn't know that Dan don't want to get bugs assigned. The questions remain... - is KDE 2.x still supported? - how about kde-functions.eclass / KDE version export - should I file an extra bug report? e.g. In #27401 I worked around this, comparing $KDEDIR with a hardcoded path, to distinct between KDE 3 and 3.x. But that's the way it should work. caleb@gentoo.org 2003-09-09 08:31:10 0000 We are not supporting kde 2 and only leaving it available in portage for posterity. I haven't been applying security fixes for it either. I suppose it will be taken out in the next few months. As far as the second part goes, I don't have a good answer. Your hacked solution in the pykde ebuild probably isn't the best, but if it works I say it's okay. If we need to make changes to the eclass, go ahead and file another bug. caleb@gentoo.org 2003-09-15 19:36:12 0000 this ebuild has been put in portage. caleb@gentoo.org 2003-09-15 19:36:34 0000 *** Bug 28153 has been marked as a duplicate of this bug. *** 17288 2003-09-08 15:38 0000 kdbg-1.2.9.ebuild kdbg-1.2.9.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDAzIEdlbnRvbyBUZWNobm9sb2dpZXMsIEluYy4KIyBEaXN0cmli dXRlZCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIHYy CiMgJEhlYWRlcjogJAoKaW5oZXJpdCBrZGUKCm5lZWQta2RlIDMKCklVU0U9IiIKREVTQ1JJUFRJ T049IkEgR3JhcGhpY2FsIERlYnVnZ2VyIEludGVyZmFjZSB0byBnZGIiClNSQ19VUkk9Im1pcnJv cjovL3NvdXJjZWZvcmdlL2tkYmcvJHtQfS50YXIuZ3oiCkhPTUVQQUdFPSJodHRwOi8vbWVtYmVy cy5uZXh0cmEuYXQvam9oc2l4dC9rZGJnLmh0bWwiCgojbXljb25mPSIke215Y29uZn0gLS13aXRo LWtkZS12ZXJzaW9uPTMiCgojZXhwb3J0IExJQlFUTVQ9Ii1scXQtbXQiCgpMSUNFTlNFPSJHUEwt MiIKS0VZV09SRFM9Ing4NiB+c3BhcmMgIH5wcGMiCgpSREVQRU5EPSI+PXN5cy1kZXZlbC9nZGIt NS4wIg==