Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 428890 (CVE-2012-3456) - <app-office/calligra-2.4.3-r1 : buffer overflow vulnerability (CVE-2012-3456)
Summary: <app-office/calligra-2.4.3-r1 : buffer overflow vulnerability (CVE-2012-3456)
Status: RESOLVED FIXED
Alias: CVE-2012-3456
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://packages.gentoo.org/package/ap...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-31 16:28 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2012-09-25 11:35 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-07-31 16:28:19 UTC
Is it OK to stabilize =app-office/calligra-l10n-2.4.3 ?

If so, please CC all arches which have stable keywords

for older versions of this package and add STABLEREQ keyword

to the bug.
Comment 1 Andreas K. Hüttel gentoo-dev 2012-07-31 16:41:17 UTC
Arches please stabilize:

app-office/calligra-2.4.3
app-office/calligra-l10n-2.4.3

Target: amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-04 15:01:04 UTC
http://www.openwall.com/lists/oss-security/2012/08/04/1

Let me stop the stabilization here.
Comment 3 Agostino Sarubbo gentoo-dev 2012-08-05 17:23:07 UTC
more info here: http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf


Arches please stabilize:

app-office/calligra-2.4.3-r1
app-office/calligra-l10n-2.4.3

Target: amd64 x86
Comment 4 Agostino Sarubbo gentoo-dev 2012-08-05 20:59:45 UTC
amd64 stable
Comment 5 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2012-08-08 14:15:50 UTC
amd64: ok
Comment 6 Andreas Schürch gentoo-dev 2012-08-09 12:12:34 UTC
(In reply to comment #4)
> amd64 stable
ehm... it doesn't seem so!? Readded amd64 to this bug
$ cat  calligra-2.4.3-r1.ebuild | grep KEYWO
[[ ${PV} == *9999 ]] || KEYWORDS="~amd64 x86"

I've hit bug #430570, but these are no regressions...
so x86 is done now. :-)
Comment 7 Johannes Huber gentoo-dev 2012-08-09 14:16:54 UTC
Thanks all. Removing maintainers from cc, nothing to do for us anymore.

+  09 Aug 2012; Johannes Huber <johu@gentoo.org> -calligra-2.4.2.ebuild:
+  Remove old wrt bug #428890.
Comment 8 Sean Amoss gentoo-dev Security 2012-08-09 20:23:42 UTC
Thanks, everyone. 

Filing a new GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-08-20 23:06:10 UTC
CVE-2012-3456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3456):
  Heap-based buffer overflow in the read function in
  filters/words/msword-odf/wv2/src/styles.cpp in the Microsoft import filter
  in Calligra 2.4.3 and earlier allows remote attackers to cause a denial of
  service (application crash) and possibly execute arbitrary code via a
  crafted ODF style in an ODF document.  NOTE: this is the same vulnerability
  as CVE-2012-3455, but it was SPLIT by the CNA even though Calligra and
  KOffice share the same codebase.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-09-25 11:35:28 UTC
This issue was resolved and addressed in
 GLSA 201209-10 at http://security.gentoo.org/glsa/glsa-201209-10.xml
by GLSA coordinator Sean Amoss (ackle).