[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#280373: kfax libtiff vulnerabilities

On Mon, Nov 08, 2004 at 09:35:30PM -0500, Josh Metzler wrote:
> On Monday 08 November 2004 07:46 pm, Chris Cheney wrote:
> > On Tue, Nov 09, 2004 at 12:37:55AM +0100, Andreas Mueller wrote:
> > > Package: kfax
> > > Version: 4:3.3.1-1
> > > Severity: normal
> > >
> > >
> > > -- cut from the inoffical KDE Security Advisory --
> > >
> > > kfax, a small utility for displaying fax files, contains
> > > for historic reasons a private copy of libtiff.
> > > Therefore it is vulnerable to these issues as well.
> > >
> > > As a workaround, you can remove the kfax binary and the
> > > kfax_multipage KPart from your system to be on the safe
> > > side. A new package is now on ktown.
> > >
> > > This issue is already sort-of public because Red Hat already announced
> > > it as part of their kdegraphics update.
> > >
> > > Cheers,
> > > amu
> >
> > The kfax in kdegraphics 3.3.1-1 deb is already fixed afaik, they removed
> > libtiff from kdegraphics source and use libtiff-tools instead.
> >
> > Chris
> 
> It is not fixed in kdegraphics 3.3.1-1.  I just downloaded the source 
> (apt-get source kdegraphics), and the kfax.cpp is the version dated July 
> 12, 2004 which is in the tagged KDE_3_3_1_RELEASE.  The fix was committed 
> to both KDE_3_3_BRANCH and KDE_3_2_BRANCH on October 16, 2004.  The 3.2 
> branch was refixed on October 23.

Did you happen to look at the source after
debian/patches/01_kdegraphics_branch.diff.uu is applied? The orig.tar.gz
is not patched directly of course...

Chris
Reply to: