Summary: | <kde-base/plasma-workspace-4.10.5-r2 : two vulnerabilities (CVE-2013-{4132,4133}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/07/16/3 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 477634 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-07-18 18:57:54 UTC
Second one didn't actually make it into 4.10.5 but has been added locally in 4.10.5-r1. @KDE team: do we want to backport or just go ahead and stabilize 4.10.5 early? The first one didn't make it into 4.10.5 either (missed the tag/release deadline by a day or two). [1] http://www.openwall.com/lists/oss-security/2013/07/16/7 --mancha (In reply to mancha from comment #2) > The first one didn't make it into 4.10.5 either (missed the tag/release > deadline by a day or two). > > [1] http://www.openwall.com/lists/oss-security/2013/07/16/7 > > --mancha Thanks for taking care of it. Hey guys, please tell me next time when you want a patch added what it's for... I admit I was lazy and did not look it up myself, but it would be better to have a reference to the bug or the cve in the changelog... Thanks all. <kde-base/plasma-workspace-4.10.5-r2 removed from tree. kde herd is out of the game. + 02 Aug 2013; Johannes Huber <johu@gentoo.org> + -plasma-workspace-4.10.4-r1.ebuild, -plasma-workspace-4.10.4-r2.ebuild: + Remove KDE SC 4.10.4 + GLSA vote: no GLSA vote: no Closing as noglsa CVE-2013-4132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4132): KDE-Workspace 4.10.5 and earlier does not properly handle the return value of the glibc 2.17 crypt and pw_encrypt functions, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via (1) an invalid salt or a (2) DES or (3) MD5 encrypted password, when FIPS-140 is enable, to KDM or an (4) invalid password to KCheckPass. |