Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 75203

Summary: app-office/koffice xpdf vulnerability
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: kde
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B2 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 09:09:08 UTC
koffice includes xpdf code and therefore might be vulnerable to CAN-2004-1125.
Please see bug 75191 for details and the patch.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-21 13:31:38 UTC
koffice contains xpdf 2.00 (patched for earlier integer overflow stuff) and the vulnerability is verified for 3.00

Nevertheless the patch applies cleanly except for the last part ( lines 1054,1060), which is just a slight change in an error message afaict.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-21 13:45:15 UTC
KDE security has been notified about this together with the kpdf issue.
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-22 06:35:55 UTC
upstream has patched versions in CVS
Comment 4 Carsten Lohrke (RETIRED) gentoo-dev 2004-12-22 11:50:55 UTC
<<< koffice-1.3.5-r1.ebuild
<<< files/koffice_1_3_xpdf_buffer_overflow.diff

herds: please mark stable. 

ppc{,64}: if it's necessary to create a new revision for 1.3.4, please do so, the patch should apply as well.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-22 16:12:14 UTC
sparc is a go-go.
Comment 6 Dylan Carlson (RETIRED) gentoo-dev 2004-12-22 18:45:39 UTC
amd64 done
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2004-12-23 11:38:00 UTC
app-office/koffice-1.3.5-r1 is stable on ppc64.

Comment 8 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-12-23 12:16:49 UTC
Stable on alpha.
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2005-01-03 03:35:58 UTC
Already marked ppc stable.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-11 05:32:26 UTC
GLSA 200501-17