-----BEGIN PGP SIGNED MESSAGE-----
KDE Security Advisory: libgadu vulnerabilities
Original Release Date: 2005-07-21
1. Systems affected:
All versions of Kopete as included in KDE 3.2.3 up to including
KDE 3.4.1. KDE 3.2.2 and older are not affected.
Kopete 0.9.x releases starting with 0.9.4 and Kopete 0.10.3
or newer are unaffected.
Kopete contains a copy of libgadu that is used if
no compatible version is installed in the system. Several
input validation errors have been reported in libgadu
that can lead to integer overflows and remote DoS or
arbitrary code execution.
If the Gadu-Gadu protocol handler in Kopete is used,
remote users can DoS the Kopete client or possibly even
execute arbitrary code.
Source code patches have been made available that update
the included copy of libgadu to 1.6rc3 which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
A patch for KDE 3.4.1 is available from
A patch for KDE 3.3.2 is available from
A patch for KDE 3.2.3 is available from
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
-----END PGP SIGNATURE-----
KDE please provide an updated ebuild.
Created attachment 63954 [details]
I don't have time. If someone would test the ebuilds, please?! What bothers me
is that the dependency is not listed as an optional one, since the shared
libgadu can be used, too. Also Portage doesn't seem to treat SRC_URI
culmulative as it seems.
Created attachment 63955 [details]
Created attachment 63956 [details]
arch herds: The patches apply and I don't see why there should be a problem,
testers are welcome.
So based on what I'm seeing in this bug, I'm assuming that only the 3.3.x and
3.4.x series of kdenetwork/kopete are being patched by us and that 3.2.x is no
Afair GLSA 200412-17 was the first one to not include a fix for 3.2.x. I'm sure
there are several others after that.
I tested the ebuilds and committed:
Stable on hppa
stable on ppc64
Is it OK to mark these bad boys as blocker during release time when we're under
crunch time if it is holding us up?
Well... this is blocking the release at the moment... thanks all
Upgrading severity to blocker as requested by wolf31o2.
(In reply to comment #7)
> So based on what I'm seeing in this bug, I'm assuming that only the 3.3.x and
> 3.4.x series of kdenetwork/kopete are being patched by us and that 3.2.x is no
> longer supported?
Supporting two stable releases should suffice. While adding the fixes for KDE
3.2 as well, wouldn't be a big issue in this case, but the KDE team is small,
some arch teams are, too and not everyone is as sparctastic fast & resposive as
(In reply to comment #8)
> Afair GLSA 200412-17
> was the first one to not include a fix for 3.2.x. I'm sure
> there are several others after that.
No. KDE 3.2 wasn't affected in this case. Bug 98735 and this one are the first two.
In case anyone raised an eyebrowe: No portage bug, a kde eclass speciality as I
Marked ppc stable.
kdenetwork-3.3.2-r2 stable on mips, 3.4 hasn't gone stable on mips yet.
stable on amd64.
Stable on alpha.
Stable on ia64.
x86 already stable. This one is ready for GLSA.
Still needing alpha keyword, back to stable.
Alpha doesn't have any stable 3.4.x version and I already stabled
kdenetwork-3.3.2-r2. I don't think we're missing any keywords but feel free to
correct me if I'm wrong :)
Kloeri sorry for the noise. This one is ready for GLSA.
Rerating as B (Gadu-gadu is hardly default configuration).