Your message dated Mon, 12 Nov 2007 07:32:16 +0000 with message-id <E1IrTmK-0001zn-Ji@ries.debian.org> and subject line Bug#450631: fixed in koffice 1:1.6.3-4 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: CVE-2007-4352, CVE-2007-5392, CVE-2007-5393 multiple vulnerabilities leading to arbitrary code execution
- From: Nico Golde <nion@debian.org>
- Date: Thu, 8 Nov 2007 18:30:48 +0100
- Message-id: <[🔎] 20071108173048.GA10109@ngolde.de>
Package: koffice Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for xpdf and koffice includes this code. CVE-2007-4352[0]: | Array index error in the DCTStream::readProgressiveDataUnit method in | xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote | attackers to trigger memory corruption and execute arbitrary code via | a crafted PDF file. CVE-2007-5392[1]: | Integer overflow in the DCTStream::reset method in | xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows | remote attackers to execute arbitrary code via a crafted PDF | file, resulting in a heap-based buffer overflow. CVE-2007-5393[2]: | Heap-based buffer overflow in the CCITTFaxStream::lookChar | method in xpdf/Stream.cc in Xpdf 3.02 with | xpdf-3.02pl1.patch allows remote attackers to execute | arbitrary code via a PDF file that contains a crafted | CCITTFaxDecode filter. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393 Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgp1Fs_Dugquy.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 450631-close@bugs.debian.org
- Subject: Bug#450631: fixed in koffice 1:1.6.3-4
- From: Ana Beatriz Guerrero Lopez <ana@debian.org>
- Date: Mon, 12 Nov 2007 07:32:16 +0000
- Message-id: <E1IrTmK-0001zn-Ji@ries.debian.org>
Source: koffice Source-Version: 1:1.6.3-4 We believe that the bug you reported is fixed in the latest version of koffice, which is due to be installed in the Debian FTP archive: karbon_1.6.3-4_amd64.deb to pool/main/k/koffice/karbon_1.6.3-4_amd64.deb kchart_1.6.3-4_amd64.deb to pool/main/k/koffice/kchart_1.6.3-4_amd64.deb kexi_1.6.3-4_amd64.deb to pool/main/k/koffice/kexi_1.6.3-4_amd64.deb kformula_1.6.3-4_amd64.deb to pool/main/k/koffice/kformula_1.6.3-4_amd64.deb kivio-data_1.6.3-4_all.deb to pool/main/k/koffice/kivio-data_1.6.3-4_all.deb kivio_1.6.3-4_amd64.deb to pool/main/k/koffice/kivio_1.6.3-4_amd64.deb koffice-data_1.6.3-4_all.deb to pool/main/k/koffice/koffice-data_1.6.3-4_all.deb koffice-dbg_1.6.3-4_amd64.deb to pool/main/k/koffice/koffice-dbg_1.6.3-4_amd64.deb koffice-dev_1.6.3-4_amd64.deb to pool/main/k/koffice/koffice-dev_1.6.3-4_amd64.deb koffice-doc-html_1.6.3-4_all.deb to pool/main/k/koffice/koffice-doc-html_1.6.3-4_all.deb koffice-doc_1.6.3-4_all.deb to pool/main/k/koffice/koffice-doc_1.6.3-4_all.deb koffice-libs_1.6.3-4_amd64.deb to pool/main/k/koffice/koffice-libs_1.6.3-4_amd64.deb koffice_1.6.3-4.diff.gz to pool/main/k/koffice/koffice_1.6.3-4.diff.gz koffice_1.6.3-4.dsc to pool/main/k/koffice/koffice_1.6.3-4.dsc koffice_1.6.3-4_all.deb to pool/main/k/koffice/koffice_1.6.3-4_all.deb koshell_1.6.3-4_amd64.deb to pool/main/k/koffice/koshell_1.6.3-4_amd64.deb kplato_1.6.3-4_amd64.deb to pool/main/k/koffice/kplato_1.6.3-4_amd64.deb kpresenter-data_1.6.3-4_all.deb to pool/main/k/koffice/kpresenter-data_1.6.3-4_all.deb kpresenter_1.6.3-4_amd64.deb to pool/main/k/koffice/kpresenter_1.6.3-4_amd64.deb krita-data_1.6.3-4_all.deb to pool/main/k/koffice/krita-data_1.6.3-4_all.deb krita_1.6.3-4_amd64.deb to pool/main/k/koffice/krita_1.6.3-4_amd64.deb kspread_1.6.3-4_amd64.deb to pool/main/k/koffice/kspread_1.6.3-4_amd64.deb kthesaurus_1.6.3-4_amd64.deb to pool/main/k/koffice/kthesaurus_1.6.3-4_amd64.deb kugar_1.6.3-4_amd64.deb to pool/main/k/koffice/kugar_1.6.3-4_amd64.deb kword-data_1.6.3-4_all.deb to pool/main/k/koffice/kword-data_1.6.3-4_all.deb kword_1.6.3-4_amd64.deb to pool/main/k/koffice/kword_1.6.3-4_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 450631@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ana Beatriz Guerrero Lopez <ana@debian.org> (supplier of updated koffice package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 11 Nov 2007 21:13:36 +0100 Source: koffice Binary: koffice-data kivio koffice kugar kchart karbon kpresenter koffice-dbg kformula koffice-libs koshell kivio-data kspread kword koffice-doc krita krita-data kexi koffice-dev kword-data kthesaurus koffice-doc-html kplato kpresenter-data Architecture: source amd64 all Version: 1:1.6.3-4 Distribution: unstable Urgency: low Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Ana Beatriz Guerrero Lopez <ana@debian.org> Description: karbon - a vector graphics application for the KDE Office Suite kchart - a chart drawing program for the KDE Office Suite kexi - integrated database environment for the KDE Office Suite kformula - a formula editor for the KDE Office Suite kivio - a flowcharting program for the KDE Office Suite kivio-data - data files for Kivio flowcharting program koffice - KDE Office Suite koffice-data - common shared data for the KDE Office Suite koffice-dbg - debugging symbols for koffice koffice-dev - common libraries for KOffice (development files) koffice-doc - developer documentation for the KDE Office Suite koffice-doc-html - KDE Office Suite documentation in HTML format koffice-libs - common libraries and binaries for the KDE Office Suite koshell - the KDE Office Suite workspace kplato - an integrated project management and planning tool kpresenter - a presentation program for the KDE Office Suite kpresenter-data - data files for KPresenter presentation program krita - a pixel-based image manipulation program for the KDE Office Suite krita-data - data files for Krita painting program kspread - a spreadsheet for the KDE Office Suite kthesaurus - thesaurus for the KDE Office Suite kugar - a business report maker for the KDE Office Suite kword - a word processor for the KDE Office Suite kword-data - data files for KWord word processor Closes: 439307 445038 450631 Changes: koffice (1:1.6.3-4) unstable; urgency=low . * Patch to multiple xpdf based vulnerabilities. (Closes: #450631) CVE-2007-4352, CVE-2007-5392, CVE-2007-5393. * Fix kword.menu section. (Closes: #445038) * Add Suggestion on kexi-mdb-plugin for kexi. (Closes: #439307) Files: e60ad58070d76d3e1ee305a66447d565 1448 kde optional koffice_1.6.3-4.dsc 148383bb0edb553c469154019fc60a9c 1237996 kde optional koffice_1.6.3-4.diff.gz 171fa9ba7d2ceaf792d42f2869b8f3ca 17242 kde optional koffice_1.6.3-4_all.deb f2cd23e66730c5ba00c38ecfa260af19 42749658 doc optional koffice-doc_1.6.3-4_all.deb 63c7b4b54437771ead268f0e625cba15 536832 doc optional koffice-doc-html_1.6.3-4_all.deb 0dc6552c17dfc3cbef2bf49ffc8bb81b 688820 graphics optional kivio-data_1.6.3-4_all.deb c22e5663546b9159a20bbbb123bad75c 1912568 kde optional kpresenter-data_1.6.3-4_all.deb 25203123918590529c990ecfde8c5212 28335644 kde optional krita-data_1.6.3-4_all.deb 7218d15843b81f6501979333d038ca20 1802484 kde optional kword-data_1.6.3-4_all.deb daf388ff7924c60fbe3fa9f527c84ac0 744712 libs optional koffice-data_1.6.3-4_all.deb 18751c2c61f059fc838f369aea03c4b4 1075160 graphics optional karbon_1.6.3-4_amd64.deb 24a8a0ec1cf94242d4cb704ed12925dc 1378858 kde optional kchart_1.6.3-4_amd64.deb 75d38f1416ba532acc423b0c73a6ef30 3737994 kde optional kexi_1.6.3-4_amd64.deb 1734fca5d66a2894c60a22c39cfe5ad2 1036764 kde optional kformula_1.6.3-4_amd64.deb 8fdba0390e37f245ab70ddc56b7e8426 620708 graphics optional kivio_1.6.3-4_amd64.deb 0597a87a468ff1d34d4570b16ce3db28 189712 kde optional koshell_1.6.3-4_amd64.deb fd8fa3af5c273b670d45418927977474 960136 kde optional kplato_1.6.3-4_amd64.deb 84c13fd2c8cb3dd7ca90f5a89bdd3598 1351960 kde optional kpresenter_1.6.3-4_amd64.deb 50cb27d5c00c5f985607719cc5248eaf 3442608 kde optional krita_1.6.3-4_amd64.deb a9c9d095d9130ae85f8cd55d3953715c 2748434 kde optional kspread_1.6.3-4_amd64.deb ac59d728193a378bcafe586bb29b56a7 462646 kde optional kugar_1.6.3-4_amd64.deb 1aa8109f2914bc0cba6af6b39482de69 2886386 kde optional kword_1.6.3-4_amd64.deb 9cb985cc244863721056a83156b84d18 323268 kde optional kthesaurus_1.6.3-4_amd64.deb 9e40d2d084ec6369664b13dd767e38dc 2750482 libs optional koffice-libs_1.6.3-4_amd64.deb d77c80ad558a5405f22ea6d6391e2e9a 431020 libdevel optional koffice-dev_1.6.3-4_amd64.deb 44698ff2c96f4e975f75488e38477484 56868424 libdevel extra koffice-dbg_1.6.3-4_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Signed by Ana Guerrero iD8DBQFHN8a8n3j4POjENGERAlw2AJ9elEl3aAYK4NtDjHTN/ttISInkQgCbBNyj FFOk64Gr0UU7JAe/wsJgWt8= =QYSN -----END PGP SIGNATURE-----
--- End Message ---