From ${URL} : while not listed in the announcement: [1] http://www.kde.org/announcements/announce-4.10.5.php looks like kde-workspace v4.10.5 fixed two security flaws (the second one a minor one): * Issue #1 - Possible NULL pointer dereference in KDM and KCheckPass when glibc 2.17 (eglibc 2.17) or FIPS enabled system used Bug: https://git.reviewboard.kde.org/r/111261/ Relevant patches: https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/45b7f137fbc0b942fd2c9b4e8d8c1f0293e64ba7 https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/7777194da6154375fc8103b8c4e29e385cd7ae2e * Issue #2 - Plasma desktop is leaking memory in X if some system tray icon is blinking Bug: https://bugs.kde.org/show_bug.cgi?id=314919 Relevant patch: https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/2c810db3e41d56ad7dd8ec3436f3cf3abcc31983 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Second one didn't actually make it into 4.10.5 but has been added locally in 4.10.5-r1. @KDE team: do we want to backport or just go ahead and stabilize 4.10.5 early?
The first one didn't make it into 4.10.5 either (missed the tag/release deadline by a day or two). [1] http://www.openwall.com/lists/oss-security/2013/07/16/7 --mancha
(In reply to mancha from comment #2) > The first one didn't make it into 4.10.5 either (missed the tag/release > deadline by a day or two). > > [1] http://www.openwall.com/lists/oss-security/2013/07/16/7 > > --mancha Thanks for taking care of it.
Hey guys, please tell me next time when you want a patch added what it's for... I admit I was lazy and did not look it up myself, but it would be better to have a reference to the bug or the cve in the changelog...
Thanks all. <kde-base/plasma-workspace-4.10.5-r2 removed from tree. kde herd is out of the game. + 02 Aug 2013; Johannes Huber <johu@gentoo.org> + -plasma-workspace-4.10.4-r1.ebuild, -plasma-workspace-4.10.4-r2.ebuild: + Remove KDE SC 4.10.4 +
GLSA vote: no
GLSA vote: no Closing as noglsa
CVE-2013-4132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4132): KDE-Workspace 4.10.5 and earlier does not properly handle the return value of the glibc 2.17 crypt and pw_encrypt functions, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via (1) an invalid salt or a (2) DES or (3) MD5 encrypted password, when FIPS-140 is enable, to KDM or an (4) invalid password to KCheckPass.