Bug 78620 - app-office/koffice includes vulnerable xpdf again
Bug#: 78620 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities
Summary: app-office/koffice includes vulnerable xpdf again
Keywords:  
Status Whiteboard: B2 [glsa] jaervosz
Opened: 2005-01-18 22:19 0000
Description:   Opened: 2005-01-18 22:19 0000 
koffice includes xpdf code and therefore might be vulnerable CAN-2005-0064.
Please see bug 77888 for details.

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-01-19 00:54:15 0000 ------- 
KDE team, please bump koffice. Upstream patch is available on bug #77888.

------- Comment #2 From Carsten Lohrke 2005-01-19 04:42:59 0000 ------- 
<<< koffice-1.3.5-r2.ebuild

herds, please mark stable - would be nice to have it in 2005.0

------- Comment #3 From Caleb Tennis 2005-01-20 09:51:22 0000 ------- 
Created an attachment (id=49045) [details]
Patch

According to an email from Waldo Bastian, this is the preferred fix for
koffice's xpdf problem.

------- Comment #4 From Sune Kloppenborg Jeppesen 2005-01-20 10:07:03 0000 ------- 
Back to ebuild. Kde please decide which patch you want to use.

------- Comment #5 From Carsten Lohrke 2005-01-20 10:11:27 0000 ------- 
"Both patches fix the same issue. The koffice patch doesn't seem to handle the 
keyLength == 0 case though. The koffice patch is the patch that went into 
xpdf upstream."

is exactly what he said. The question is, if we need to revise the patch for that reason. If it doesn't matter from the functionality and security perspective, it would only be an issue, if we have another problem, which needs to be patched. Also this affects all ebuilds, which apply the CAN-2005-0064.patch, not only koffice.

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-01-20 10:28:41 0000 ------- 
Thx Carsten, that will be your head ache on the next xpdf vulnerability:-)

Arches please test and mark stable.

------- Comment #7 From Markus Rothe 2005-01-20 11:30:12 0000 ------- 
stable on ppc64

------- Comment #8 From Karol Wojtaszek (RETIRED) 2005-01-20 15:06:40 0000 ------- 
amd64 done

------- Comment #9 From Michael Hanselmann (hansmi) (RETIRED) 2005-01-21 12:38:21 0000 ------- 
Stable on ppc.

------- Comment #10 From Gustavo Zacarias (RETIRED) 2005-01-21 12:40:06 0000 ------- 
sparc stable.

------- Comment #11 From Bryan Østergaard (RETIRED) 2005-01-21 12:51:05 0000 ------- 
Stable on alpha.

------- Comment #12 From Sune Kloppenborg Jeppesen 2005-01-22 13:44:29 0000 ------- 
*** Bug 79135 has been marked as a duplicate of this bug. ***

------- Comment #13 From Sune Kloppenborg Jeppesen 2005-01-23 06:07:24 0000 ------- 
GLSA 200501-32