Comment 1 Carsten Lohrke (RETIRED) 2005-05-10 07:32:43 UTC

Sent report and patch upstream, so others distros get the information as well. kview notices the invalid jpeg data, but doesn't care about exif data at all.

Comment 2 Carsten Lohrke (RETIRED) 2005-05-13 07:38:35 UTC

Is this bug vendor-sec restricted or why is it a hidden one? I did not get any response yet (and "yet" may go against infinite, since I did not get a direct response the last time either), but there's no reason not to apply the necessary patch and disclose, imho.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-13 10:02:27 UTC

Auditors please check wether this is exploitable or just a crash.

Comment 4 Carsten Lohrke (RETIRED) 2005-05-13 10:31:16 UTC

Created attachment 58825 [details]
kdegraphics-kfile-plugins-3.4.0-exif.diff

Oh, if it even gets audited, I'm attaching the patch I want to apply. I know
it's quick and dirty and I would wrap the function properly, if I'd maintain
the code, but I don't see any problem with it, since the function is not used
elsewhere.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-13 22:12:59 UTC

Auditors please confirm the issue and patch and let's get patching.

Comment 6 rob holland (RETIRED) 2005-05-16 12:39:59 UTC

No issues other than annoyance that I can see. It may recurse to far and overflow the stack and crash. Can't see it being exploitable.

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-16 13:13:21 UTC

Not a security issue -> opening and reassinging to KDE.

Have fun:-)

Comment 8 Dan Armak (RETIRED) 2005-06-28 12:11:03 UTC

Carsten, is there a reason you haven't applied this locally? Was there a   
bad reaction upstream or something? 

Comment 9 Caleb Tennis (RETIRED) 2006-11-14 10:04:45 UTC

I think this can be closed.