-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KDE Security Advisory: libgadu vulnerabilities Original Release Date: 2005-07-21 URL: http://www.kde.org/info/security/advisory-20050721-1.txt 0. References CVE CAN-2005-1852 1. Systems affected: All versions of Kopete as included in KDE 3.2.3 up to including KDE 3.4.1. KDE 3.2.2 and older are not affected. Kopete 0.9.x releases starting with 0.9.4 and Kopete 0.10.3 or newer are unaffected. 2. Overview: Kopete contains a copy of libgadu that is used if no compatible version is installed in the system. Several input validation errors have been reported in libgadu that can lead to integer overflows and remote DoS or arbitrary code execution. 3. Impact: If the Gadu-Gadu protocol handler in Kopete is used, remote users can DoS the Kopete client or possibly even execute arbitrary code. 4. Solution: Source code patches have been made available that update the included copy of libgadu to 1.6rc3 which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: A patch for KDE 3.4.1 is available from ftp://ftp.kde.org/pub/kde/security_patches : 675008c8bc9d7edf4d0034a398d15cf0 post-3.4.1-kdenetwork-libgadu.patch A patch for KDE 3.3.2 is available from ftp://ftp.kde.org/pub/kde/security_patches : 73ebcef42173bf567d473414693898b0 post-3.3.2-kdenetwork-libgadu.patch A patch for KDE 3.2.3 is available from ftp://ftp.kde.org/pub/kde/security_patches : 69e3379085aeaeecf034468d18a900f6 post-3.2.3-kdenetwork-libgadu.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFC3w5pvsXr+iuy1UoRAuAyAKC5MQPmvhpYiOtypx50dk7fkLCxWACgg0Lv XiS2yq32alcX2bEhEArot+Y= =FoUx -----END PGP SIGNATURE-----
KDE please provide an updated ebuild.
Created attachment 63954 [details] kdenetwork-3.3.2-r2.ebuild I don't have time. If someone would test the ebuilds, please?! What bothers me is that the dependency is not listed as an optional one, since the shared libgadu can be used, too. Also Portage doesn't seem to treat SRC_URI culmulative as it seems.
Created attachment 63955 [details] kdenetwork-3.4.1-r1.ebuild
Created attachment 63956 [details] kopete-3.4.1-r1.ebuild
arch herds: The patches apply and I don't see why there should be a problem, testers are welcome.
Thx Carlo.
So based on what I'm seeing in this bug, I'm assuming that only the 3.3.x and 3.4.x series of kdenetwork/kopete are being patched by us and that 3.2.x is no longer supported?
Afair GLSA 200412-17 was the first one to not include a fix for 3.2.x. I'm sure there are several others after that.
I tested the ebuilds and committed: kdenetwork-3.4.1-r1.ebuild kdenetwork-3.3.2-r2.ebuild kopete-3.4.1-r1.ebuild
Stable on hppa
stable on ppc64
Is it OK to mark these bad boys as blocker during release time when we're under crunch time if it is holding us up? Heh... Well... this is blocking the release at the moment... thanks all
Upgrading severity to blocker as requested by wolf31o2.
(In reply to comment #7) > So based on what I'm seeing in this bug, I'm assuming that only the 3.3.x and > 3.4.x series of kdenetwork/kopete are being patched by us and that 3.2.x is no > longer supported? Supporting two stable releases should suffice. While adding the fixes for KDE 3.2 as well, wouldn't be a big issue in this case, but the KDE team is small, some arch teams are, too and not everyone is as sparctastic fast & resposive as you. ;) (In reply to comment #8) > Afair GLSA 200412-17 > was the first one to not include a fix for 3.2.x. I'm sure > there are several others after that. No. KDE 3.2 wasn't affected in this case. Bug 98735 and this one are the first two. In case anyone raised an eyebrowe: No portage bug, a kde eclass speciality as I found out.
Marked ppc stable.
kdenetwork-3.3.2-r2 stable on mips, 3.4 hasn't gone stable on mips yet.
stable on amd64.
Stable on alpha.
Stable on ia64.
sparc stable.
x86 already stable. This one is ready for GLSA.
Still needing alpha keyword, back to stable.
Alpha doesn't have any stable 3.4.x version and I already stabled kdenetwork-3.3.2-r2. I don't think we're missing any keywords but feel free to correct me if I'm wrong :)
Kloeri sorry for the noise. This one is ready for GLSA.
Rerating as B (Gadu-gadu is hardly default configuration). GLSA 200507-23