Bug 28220 - security upd.: kdbg 1.2.9.ebuild
Bug#: 28220 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: enhancement Priority: P2
Resolution: FIXED Assigned To: kde@gentoo.org Reported By: carlo@gentoo.org
Component: KDE
URL: 
Summary: security upd.: kdbg 1.2.9.ebuild
Keywords:  EBUILD
Status Whiteboard: 
Opened: 2003-09-08 15:37 0000
Description:   Opened: 2003-09-08 15:37 0000 
Security Release Note:  Fixed the security flaw which version 1.2.8 was
supposed
to, but did not, fix. The flaw enables any other local user to gain the
privileges of the user running KDbg provided the other users can access the
directory of the program being debugged. All versions of KDbg from 1.1.8 to
1.2.8, inclusive, including all development versions, are vulnerable. 
(copied from apps.kde.com)

What's the gentoo policy - is KDE 2.x still supported? I'm asking, because the
ebuild could support it, but I don't know how to do this. need-kde() doesn't
support something like >=2 and the kde-functions.eclass doesn't export
kde[minor/major] versions as distutils.eclass with $PYVER. btw.: Shouldn't be
there a eclass variable naming agreement? $PYVER_MAJOR & $KDEMAJORVER isn't
consistent.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Carsten Lohrke 2003-09-08 15:38:25 0000 ------- 
Created an attachment (id=17288) [details]
kdbg-1.2.9.ebuild

------- Comment #2 From Carsten Lohrke 2003-09-08 16:51:37 0000 ------- 
Dan: added you, because you are the author of kde-functions.eclass

------- Comment #3 From Caleb Tennis 2003-09-09 07:07:26 0000 ------- 
Adding security so that they can file a GLSA if they deem it appropriate. 
 
Removing dan since he doesn't want bugs assigned to him anymore. 
 
The ebuild has been added - waiting for security team to make a move before resolving the 
bug.

------- Comment #4 From Carsten Lohrke 2003-09-09 08:23:33 0000 ------- 
Caleb: Sorry, I didn't know that Dan don't want to get bugs assigned. The
questions remain...

- is KDE 2.x still supported?
- how about kde-functions.eclass / KDE version export - should I file an extra
bug report? e.g. In #27401 I worked around this, comparing $KDEDIR with a
hardcoded path, to distinct between KDE 3 and 3.x. But that's the way it should
work.

------- Comment #5 From Caleb Tennis 2003-09-09 08:31:10 0000 ------- 
We are not supporting kde 2 and only leaving it available in portage for
posterity.  I haven't 
been applying security fixes for it either.  I suppose it will be taken out in
the next few 
months. 

As far as the second part goes, I don't have a good answer.  Your hacked
solution in the 
pykde ebuild probably isn't the best, but if it works I say it's okay.  If we
need to make 
changes to the eclass, go ahead and file another bug.

------- Comment #6 From Caleb Tennis 2003-09-15 19:36:12 0000 ------- 
this ebuild has been put in portage.

------- Comment #7 From Caleb Tennis 2003-09-15 19:36:34 0000 ------- 
*** Bug 28153 has been marked as a duplicate of this bug. ***