Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 125621 - kpdf official patch for kde 3.3 is not sufficient (CVE-2006-0746)
Summary: kpdf official patch for kde 3.3 is not sufficient (CVE-2006-0746)
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: A2 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-03-09 10:04 UTC by Thierry Carrez (RETIRED)
Modified: 2006-03-10 10:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
CVE-2006-0746_incremental.diff (CVE-2006-0746_incremental.diff,687 bytes, patch)
2006-03-09 10:06 UTC, Thierry Carrez (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 10:04:40 UTC 
From Mandriva MDKSA-2006:054

 Marcelo Ricardo Leitner discovered the official published kpdf
 patches for several previous xpdf vulnerabilities were lacking some
 hunks published by upstream xpdf. As a result, kpdf is still 
 vulnerable to certain carefully crafted pdf files.

We should check if we are also affected.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 10:06:02 UTC 
Created attachment 81778 [details, diff]
CVE-2006-0746_incremental.diff

Incremental patch, courtesy of Dirk Mueller from KDE.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 10:06:36 UTC 
KDE team, please check and patch if affected.
Comment 3 Carsten Lohrke (RETIRED) gentoo-dev 2006-03-09 10:31:53 UTC 
(In reply to comment #2)
> KDE team, please check and patch if affected.
> 

KDE 3.3 is not supported anymore. Previous GLSAs were >=kde-3.4 as well.
Comment 4 Caleb Tennis (RETIRED) gentoo-dev 2006-03-09 10:33:03 UTC 
Agreed, I think we're better off just removing kde 3.3 from portage and encouraging an upgrade to 3.4
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-03-09 10:44:12 UTC 
+1 on removing KDE 3.3
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-03-10 10:26:34 UTC 
Closing as INVALID then