Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 114429 - app-office/{koffice,kword}|kde-base/{kpdf,kdegraphics}: several security holes (CAN-2005-319{1|2|3})
Summary: app-office/{koffice,kword}|kde-base/{kpdf,kdegraphics}: several security hole...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2? [] jaervosz
Keywords:
: 114433 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-12-04 03:48 UTC by Carsten Lohrke (RETIRED)
Modified: 2019-12-08 22:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2005-12-04 03:48:18 UTC
I'm working on it.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-04 04:36:17 UTC
*** Bug 114433 has been marked as a duplicate of this bug. ***
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-04 04:38:16 UTC
Sorry for the dupe Carlo. Is koffice unaffected by this one? 
Comment 3 Carsten Lohrke (RETIRED) gentoo-dev 2005-12-05 18:07:50 UTC
And another round...

<<< kpdf-3.4.3-r1.ebuild
<<< kdegraphics-3.4.3-r1.ebuild

<<< kword-1.4.2-r2.ebuild
<<< koffice-1.4.2-r2.ebuild  (yes r2, not r3)


If some archs really can't do the now forced upgrade to KDE 3.4.3, please drop a
line and I'll have a look at KDE 3.4.1.
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2005-12-06 11:04:14 UTC
kpdf-3.4.3-r1,  kword-1.4.2-r2,  koffice-1.4.2-r2 stable on ppc64 
Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-06 13:57:22 UTC
Stable on ppc, none of the packages is in (~)hppa.
Comment 6 Carsten Lohrke (RETIRED) gentoo-dev 2005-12-06 14:34:23 UTC
(In reply to comment #5)
> Stable on ppc, none of the packages is in (~)hppa.

koffice and kdegraphics are, the split packages aren't.
Comment 7 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-12-07 11:48:25 UTC
Stable on amd64. 
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2005-12-07 14:09:42 UTC
x86 needs this backported to 3.4.1 as we don't have 3.4.3 stable yet.  cpw is
still trying to work out the remaining issues before we mark KDE-3.4.3 stable.
Comment 9 Carsten Lohrke (RETIRED) gentoo-dev 2005-12-07 18:36:57 UTC
(In reply to comment #8)
> x86 needs this backported to 3.4.1 as we don't have 3.4.3 stable yet.

The existing patches apply and should work, didn't tested though. Same for bug
114583.

>  cpw is
> still trying to work out the remaining issues before we mark KDE-3.4.3 stable.

What Issues? There were no really problematic regression bugs against 3.4.3 iirc
and it ran fine here for two months. x86 is really the least arch I expected
problems with.
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2005-12-07 18:41:02 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > x86 needs this backported to 3.4.1 as we don't have 3.4.3 stable yet.
> 
> The existing patches apply and should work, didn't tested though. Same for bug
> 114583.

Okay, could you make those ebuilds so I can mark them?

> >  cpw is
> > still trying to work out the remaining issues before we mark KDE-3.4.3 stable.
> 
> What Issues? There were no really problematic regression bugs against 3.4.3 iirc
> and it ran fine here for two months. x86 is really the least arch I expected
> problems with.

You can look on the KDE 3.4.3 stablization, bug #112842.  Patches have been
getting added to fix the issues he found, but I'm not rushing 3.4.3 to be
stablized just to fix these security issues.  Its two separate problems.
Comment 11 Carsten Lohrke (RETIRED) gentoo-dev 2005-12-07 18:45:15 UTC
> Okay, could you make those ebuilds so I can mark them?

Already in cvs.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-08 06:05:49 UTC
Upstream patches are not complete. Back to upstream status for now. 
Comment 13 Carsten Lohrke (RETIRED) gentoo-dev 2005-12-09 13:08:13 UTC
I'm sorry that some of you have to do the work twice, but don't blame me please...

<<< kword-1.4.2-r4.ebuild
<<< koffice-1.4.2-r4.ebuild

<<< kpdf-3.4.1-r3.ebuild
<<< kpdf-3.4.3-r2.ebuild
<<< kdegraphics-3.4.1-r3.ebuild
<<< kdegraphics-3.4.3-r2.ebuild
Comment 14 Joe Jezak (RETIRED) gentoo-dev 2005-12-09 19:13:03 UTC
You deleted the ppc stable version of kdegraphics-3.4.3, which broke the tree. 
:p  Please don't do that in the future.  I've marked kdegraphics-3.4.3-r2 stable
to fix this.
Comment 15 Chris White (RETIRED) gentoo-dev 2005-12-09 22:23:43 UTC
Halyc0n got koffice stuff, I got kdegraphics stuff.
Comment 16 Richard Freeman gentoo-dev 2005-12-10 05:00:39 UTC
(In reply to comment #14)
> You deleted the ppc stable version of kdegraphics-3.4.3, which broke the tree. 
> :p  Please don't do that in the future.  I've marked kdegraphics-3.4.3-r2 stable
> to fix this.

Ditto for amd64 - I'm getting a forced downgrade back to kword-1.4.2 and
kpdf-3.4.3.  The previous stable version may still have had issues, but the
older version obviously isn't any better, and there isn't any sense in making
everybody downgrade only to have them upgrade a few days later when the latest
version does get marked stable.  Please refrain from deleting the latest stable
package.
Comment 17 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-12-11 07:47:59 UTC
Stable on amd64 again. 
Comment 18 Markus Rothe (RETIRED) gentoo-dev 2005-12-11 13:52:54 UTC
stable on ppc64 
Comment 19 Jason Wever (RETIRED) gentoo-dev 2005-12-11 19:32:17 UTC
Stable on SPARC
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-12-12 03:34:11 UTC
still missing:

kword-1.4.2-r4: alpha ppc
koffice-1.4.2-r4: alpha ppc
kpdf-3.4.3-r2 (or 3.4.1-r3): alpha ppc
kdegraphics-3.4.3-r2 (or 3.4.1-r3): hppa ia64 mips ppc64?
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2005-12-12 11:15:31 UTC
kde-3.4.x was newer marked ppc64 - only kde-meta-3.4.x. (yea, I'm lazy...) 
Comment 22 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-12 12:36:04 UTC
ppc and hppa done
Comment 23 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-12-13 05:08:26 UTC
(In reply to comment #20)
> still missing:
> 
> kword-1.4.2-r4: alpha ppc
> koffice-1.4.2-r4: alpha ppc
> kpdf-3.4.3-r2 (or 3.4.1-r3): alpha ppc

I'm already working on alpha keywording since several days ago, but koffice is a
little beast and takes lot of time to compile on our alpha cluster. 

Hope to have it finished ASAP, but also bug #112840 (about marking 1.4.2 stable)
seems to be needed before closing this. 

BTW, Carlo are the koffice tests working on any arch? On Alpha failed.
Comment 24 Carsten Lohrke (RETIRED) gentoo-dev 2005-12-13 06:22:23 UTC
(In reply to comment #23)
> BTW, Carlo are the koffice tests working on any arch? On Alpha failed.
> 

The KDE herd simply ignores them, but we're fond of guys with patches, though.
:) But hold your breath, it looks like this is a neverending story and we'll see
another round of patches. :(
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-14 04:06:01 UTC
alpha, mips please test and mark stable. Don't hold your breath for the second 
round of stable marking, please. 
Comment 26 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-12-16 18:47:59 UTC
kword-1.4.2-r4, koffice-1.4.2-r4 and kpdf-3.4.3-r2 are now marked stable on alpha.

I'm sorry guys about the delay on this, but trust me if i tell you it has been a hell to keyword these packages during this week. :(

(In reply to comment #24)
> The KDE herd simply ignores them, but we're fond of guys with patches, though.
> :) But hold your breath, it looks like this is a neverending story and we'll see another round of patches. :(

It would be much appreciated for us. Thanks.
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2005-12-20 04:13:57 UTC
Maybe better to wait for more. GLSA ready though and we issued one for [x-g]pdf... so jaervosz's call
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-03 07:56:57 UTC
Fixing all kpdf issues on bug #115851-> Closing.