78620 2005-01-18 22:19 0000 app-office/koffice includes vulnerable xpdf again 2005-01-23 06:07:24 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities B2 [glsa] jaervosz P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org kde@gentoo.org soulse@gmail.com jaervosz@gentoo.org 2005-01-18 22:19:34 0000 koffice includes xpdf code and therefore might be vulnerable CAN-2005-0064. Please see bug 77888 for details. jaervosz@gentoo.org 2005-01-19 00:54:15 0000 KDE team, please bump koffice. Upstream patch is available on bug #77888. carlo@gentoo.org 2005-01-19 04:42:59 0000 <<< koffice-1.3.5-r2.ebuild herds, please mark stable - would be nice to have it in 2005.0 caleb@gentoo.org 2005-01-20 09:51:22 0000 Created an attachment (id=49045) Patch According to an email from Waldo Bastian, this is the preferred fix for koffice's xpdf problem. jaervosz@gentoo.org 2005-01-20 10:07:03 0000 Back to ebuild. Kde please decide which patch you want to use. carlo@gentoo.org 2005-01-20 10:11:27 0000 "Both patches fix the same issue. The koffice patch doesn't seem to handle the keyLength == 0 case though. The koffice patch is the patch that went into xpdf upstream." is exactly what he said. The question is, if we need to revise the patch for that reason. If it doesn't matter from the functionality and security perspective, it would only be an issue, if we have another problem, which needs to be patched. Also this affects all ebuilds, which apply the CAN-2005-0064.patch, not only koffice. jaervosz@gentoo.org 2005-01-20 10:28:41 0000 Thx Carsten, that will be your head ache on the next xpdf vulnerability:-) Arches please test and mark stable. corsair@gentoo.org 2005-01-20 11:30:12 0000 stable on ppc64 sekretarz@gentoo.org 2005-01-20 15:06:40 0000 amd64 done hansmi@gentoo.org 2005-01-21 12:38:21 0000 Stable on ppc. gustavoz@gentoo.org 2005-01-21 12:40:06 0000 sparc stable. kloeri@gentoo.org 2005-01-21 12:51:05 0000 Stable on alpha. jaervosz@gentoo.org 2005-01-22 13:44:29 0000 *** Bug 79135 has been marked as a duplicate of this bug. *** jaervosz@gentoo.org 2005-01-23 06:07:24 0000 GLSA 200501-32 49045 2005-01-20 09:51 0000 Patch post-1.3.5-koffice.diff text/plain SW5kZXg6IGtvZmZpY2UvZmlsdGVycy9rd29yZC9wZGYveHBkZi94cGRmL1hSZWYuY2MKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQpSQ1MgZmlsZTogL2hvbWUva2RlL2tvZmZpY2UvZmlsdGVycy9rd29yZC9wZGYveHBkZi94 cGRmL1hSZWYuY2MsdgpyZXRyaWV2aW5nIHJldmlzaW9uIDEuNgpyZXRyaWV2aW5nIHJldmlzaW9u IDEuOApkaWZmIC11IC1wIC1yMS42IC1yMS44Ci0tLSBrb2ZmaWNlL2ZpbHRlcnMva3dvcmQvcGRm L3hwZGYveHBkZi9YUmVmLmNjCTMwIE9jdCAyMDA0IDE2OjM1OjMzIC0wMDAwCTEuNgorKysga29m ZmljZS9maWx0ZXJzL2t3b3JkL3BkZi94cGRmL3hwZGYvWFJlZi5jYwkyMCBKYW4gMjAwNSAxNzoz NjozOCAtMDAwMAkxLjgKQEAgLTUwMSw2ICs1MDEsMTIgQEAgR0Jvb2wgWFJlZjo6Y2hlY2tFbmNy eXB0ZWQoR1N0cmluZyAqb3duZQogCX0gZWxzZSB7CiAJICBrZXlMZW5ndGggPSA1OwogCX0KKwlp ZiAoa2V5TGVuZ3RoIDwgMSkgeworCSAga2V5TGVuZ3RoID0gMTsKKwl9CisJaWYgKGtleUxlbmd0 aCA+IDE2KSB7CisJICBrZXlMZW5ndGggPSAxNjsKKwl9CiAJcGVybUZsYWdzID0gcGVybWlzc2lv bnMuZ2V0SW50KCk7CiAJaWYgKGVuY1ZlcnNpb24gPj0gMSAmJiBlbmNWZXJzaW9uIDw9IDIgJiYK IAkgICAgZW5jUmV2aXNpb24gPj0gMiAmJiBlbmNSZXZpc2lvbiA8PSAzKSB7Cg==