Bug 125621

Summary:

kpdf official patch for kde 3.3 is not sufficient (CVE-2006-0746)

Product:

Gentoo Security

Reporter:

Thierry Carrez (RETIRED) <koon>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED INVALID

Severity:

major

CC:

kde

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0746

Whiteboard:

A2 [ebuild]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
CVE-2006-0746_incremental.diff	none

Description Thierry Carrez (RETIRED) gentoo-dev

2006-03-09 10:04:40 UTC

From Mandriva MDKSA-2006:054

 Marcelo Ricardo Leitner discovered the official published kpdf
 patches for several previous xpdf vulnerabilities were lacking some
 hunks published by upstream xpdf. As a result, kpdf is still 
 vulnerable to certain carefully crafted pdf files.

We should check if we are also affected.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2006-03-09 10:06:02 UTC

Created attachment 81778 [details, diff]
CVE-2006-0746_incremental.diff

Incremental patch, courtesy of Dirk Mueller from KDE.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-03-09 10:06:36 UTC

KDE team, please check and patch if affected.

Comment 3 Carsten Lohrke (RETIRED) gentoo-dev

2006-03-09 10:31:53 UTC

(In reply to comment #2)
> KDE team, please check and patch if affected.
> 

KDE 3.3 is not supported anymore. Previous GLSAs were >=kde-3.4 as well.

Comment 4 Caleb Tennis (RETIRED) gentoo-dev

2006-03-09 10:33:03 UTC

Agreed, I think we're better off just removing kde 3.3 from portage and encouraging an upgrade to 3.4

Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev

2006-03-09 10:44:12 UTC

+1 on removing KDE 3.3

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2006-03-10 10:26:34 UTC

Closing as INVALID then