Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78620 - app-office/koffice includes vulnerable xpdf again
Summary: app-office/koffice includes vulnerable xpdf again
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] jaervosz
: 79135 (view as bug list)
Depends on:
Reported: 2005-01-18 22:19 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-01-23 06:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Patch (post-1.3.5-koffice.diff,730 bytes, patch)
2005-01-20 09:51 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-18 22:19:34 UTC
koffice includes xpdf code and therefore might be vulnerable CAN-2005-0064.
Please see bug 77888 for details.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 00:54:15 UTC
KDE team, please bump koffice. Upstream patch is available on bug #77888.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2005-01-19 04:42:59 UTC
<<< koffice-1.3.5-r2.ebuild

herds, please mark stable - would be nice to have it in 2005.0
Comment 3 Caleb Tennis (RETIRED) gentoo-dev 2005-01-20 09:51:22 UTC
Created attachment 49045 [details, diff]

According to an email from Waldo Bastian, this is the preferred fix for
koffice's xpdf problem.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-20 10:07:03 UTC
Back to ebuild. Kde please decide which patch you want to use.
Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2005-01-20 10:11:27 UTC
"Both patches fix the same issue. The koffice patch doesn't seem to handle the 
keyLength == 0 case though. The koffice patch is the patch that went into 
xpdf upstream."

is exactly what he said. The question is, if we need to revise the patch for that reason. If it doesn't matter from the functionality and security perspective, it would only be an issue, if we have another problem, which needs to be patched. Also this affects all ebuilds, which apply the CAN-2005-0064.patch, not only koffice.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-20 10:28:41 UTC
Thx Carsten, that will be your head ache on the next xpdf vulnerability:-)

Arches please test and mark stable.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2005-01-20 11:30:12 UTC
stable on ppc64
Comment 8 Karol Wojtaszek (RETIRED) gentoo-dev 2005-01-20 15:06:40 UTC
amd64 done
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-01-21 12:38:21 UTC
Stable on ppc.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-21 12:40:06 UTC
sparc stable.
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-21 12:51:05 UTC
Stable on alpha.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-22 13:44:29 UTC
*** Bug 79135 has been marked as a duplicate of this bug. ***
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-23 06:07:24 UTC
GLSA 200501-32