Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 78620

Summary: app-office/koffice includes vulnerable xpdf again
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: kde, soulse
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities
Whiteboard: B2 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Patch none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-18 22:19:34 UTC
koffice includes xpdf code and therefore might be vulnerable CAN-2005-0064.
Please see bug 77888 for details.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 00:54:15 UTC
KDE team, please bump koffice. Upstream patch is available on bug #77888.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2005-01-19 04:42:59 UTC
<<< koffice-1.3.5-r2.ebuild

herds, please mark stable - would be nice to have it in 2005.0
Comment 3 Caleb Tennis (RETIRED) gentoo-dev 2005-01-20 09:51:22 UTC
Created attachment 49045 [details, diff]
Patch

According to an email from Waldo Bastian, this is the preferred fix for
koffice's xpdf problem.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-20 10:07:03 UTC
Back to ebuild. Kde please decide which patch you want to use.
Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2005-01-20 10:11:27 UTC
"Both patches fix the same issue. The koffice patch doesn't seem to handle the 
keyLength == 0 case though. The koffice patch is the patch that went into 
xpdf upstream."

is exactly what he said. The question is, if we need to revise the patch for that reason. If it doesn't matter from the functionality and security perspective, it would only be an issue, if we have another problem, which needs to be patched. Also this affects all ebuilds, which apply the CAN-2005-0064.patch, not only koffice.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-20 10:28:41 UTC
Thx Carsten, that will be your head ache on the next xpdf vulnerability:-)

Arches please test and mark stable.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2005-01-20 11:30:12 UTC
stable on ppc64
Comment 8 Karol Wojtaszek (RETIRED) gentoo-dev 2005-01-20 15:06:40 UTC
amd64 done
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-01-21 12:38:21 UTC
Stable on ppc.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-21 12:40:06 UTC
sparc stable.
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-21 12:51:05 UTC
Stable on alpha.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-22 13:44:29 UTC
*** Bug 79135 has been marked as a duplicate of this bug. ***
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-23 06:07:24 UTC
GLSA 200501-32