--- ./kxsldbg/kxsldbgpart/libxsldbg/file_cmds.cpp.orig 2005-12-04 11:02:02.000000000 +0100 +++ ./kxsldbg/kxsldbgpart/libxsldbg/file_cmds.cpp 2005-12-04 11:04:00.000000000 +0100 @@ -175,7 +175,7 @@ } else { xsldbgGenericErrorFunc(i18n("PublicID \"%1\" was not found in current catalog.\n").arg(xsldbgText(arg))); } - xsltGenericError(xsltGenericErrorContext, buffer); + xsltGenericError(xsltGenericErrorContext, "%s", buffer); } return result; }
Here we go... <<< kxsldbg-3.4.3-r1.ebuild <<< kdewebdev-3.4.3-r1.ebuild
ppc and hppa done.
sparc stable.
Stable on amd64.
x86 needs this backported to 3.4.1 as we don't have 3.4.3 stable yet. cpw is still trying to work out the remaining issues before we mark KDE-3.4.3 stable.
Carlo we need it backported as per above comment.
(In reply to comment #6) > Carlo we need it backported as per above comment. It is. I thought a comment in one bug suffices.
Thx Carlo. Unless otherwise noted one comment applies to one bug for me:-) Back to stable marking.
x86 done
kxsldbg-3.4.1-r1 and kdewebdev-3.4.1-r1 are stable on alpha. Thanks to carlo for backporting the patches. This make our life much easier.
shouldn't ppc64 also mark stable ?
kxsldbg-3.4.1-r1 stable on ppc64. kdewebdev-3.4.x not even ~ppc64.
ppc64 has kxsldbg-3.4.3 stable so might need to mark 3.4.3-r1 too ?
yes, you are right. my misstake. kxsldbg-3.4.3-r1 is stable on ppc64 now.
Should we do a GLSA on this one? I see no other advisories, not even from KDE.
The exploit path is a little weird. Probably takes a malicious XSL file to be imported ? I tend to vote yes nevertheless, but I would welcome input from the reporter (Carsten ?).
Based on draft comment, I revert to 1/2 NO
(In reply to comment #16) > The exploit path is a little weird. Probably takes a malicious XSL file to be > imported ? Yes. I pushed it to you, since this is the Gentoo way for this sort of bugs, but it's highly unlikely that you grab such a xsl file and process it with kxsldbg. In KDE svn the KDE 3.4 branch wasn't even fixed, I'm pretty sure there won't be an announcment and don't think we need one either.
Heh, full NO from me then. Another NO voter can close this one as FIXED/noglsa
NO