[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#342294: marked as done (koffice: Exploitable heap overflows in embedded xpdf copy)

Your message dated Wed, 14 Dec 2005 01:02:16 -0800
with message-id <E1EmSWe-0007Lc-3y@spohr.debian.org>
and subject line Bug#342294: fixed in koffice 1:1.4.2-4
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Dec 2005 22:21:45 +0000
>From jmm@inutil.org Tue Dec 06 14:21:45 2005
Return-path: <jmm@inutil.org>
Received: from inutil.org ([193.22.164.111] helo=vserver151.vserver151.serverflex.de)
	by spohr.debian.org with esmtp (Exim 4.50)
	id 1EjlBx-0002Ix-Mb
	for submit@bugs.debian.org; Tue, 06 Dec 2005 14:21:45 -0800
Received: from dslb-082-083-190-244.pools.arcor-ip.net ([82.83.190.244] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1EjlBw-0000JN-PH
	for submit@bugs.debian.org; Tue, 06 Dec 2005 23:21:44 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.60)
	(envelope-from <jmm@inutil.org>)
	id 1EjlBa-00024s-Od; Tue, 06 Dec 2005 23:21:22 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: koffice: Exploitable heap overflows in embedded xpdf copy
Message-ID: <[🔎] 20051206222122.7898.44560.reportbug@localhost.localdomain>
X-Mailer: reportbug 3.18
Date: Tue, 06 Dec 2005 23:21:22 +0100
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
X-SA-Exim-Connect-IP: 82.83.190.244
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-10.5 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	RCVD_IN_SORBS,X_DEBBUGS_CC autolearn=ham 
	version=2.60-bugs.debian.org_2005_01_02

Package: koffice
Severity: grave
Tags: security
Justification: user security hole

Some heap overflows have been found in xpdf, of which koffice ships
a local copy. It is therefore vulnerable to a subset of the xpdf issues:

CVE-2005-3191:
http://www.idefense.com/application/poi/display?id=342
http://www.idefense.com/application/poi/display?id=343

CVE-2005-3192:
http://www.idefense.com/application/poi/display?id=344

pdftohtml is not vulnerable to CVE-2005-3193.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

---------------------------------------
Received: (at 342294-close) by bugs.debian.org; 14 Dec 2005 09:11:05 +0000
>From katie@ftp-master.debian.org Wed Dec 14 01:11:05 2005
Return-path: <katie@ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EmSWe-0007Lc-3y; Wed, 14 Dec 2005 01:02:16 -0800
From: Isaac Clerencia <isaac@debian.org>
To: 342294-close@bugs.debian.org
X-Katie: $Revision: 1.60 $
Subject: Bug#342294: fixed in koffice 1:1.4.2-4
Message-Id: <E1EmSWe-0007Lc-3y@spohr.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Wed, 14 Dec 2005 01:02:16 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: koffice
Source-Version: 1:1.4.2-4

We believe that the bug you reported is fixed in the latest version of
koffice, which is due to be installed in the Debian FTP archive:

karbon_1.4.2-4_i386.deb
  to pool/main/k/koffice/karbon_1.4.2-4_i386.deb
kchart_1.4.2-4_i386.deb
  to pool/main/k/koffice/kchart_1.4.2-4_i386.deb
kformula_1.4.2-4_i386.deb
  to pool/main/k/koffice/kformula_1.4.2-4_i386.deb
kivio-data_1.4.2-4_all.deb
  to pool/main/k/koffice/kivio-data_1.4.2-4_all.deb
kivio_1.4.2-4_i386.deb
  to pool/main/k/koffice/kivio_1.4.2-4_i386.deb
koffice-data_1.4.2-4_all.deb
  to pool/main/k/koffice/koffice-data_1.4.2-4_all.deb
koffice-dev_1.4.2-4_i386.deb
  to pool/main/k/koffice/koffice-dev_1.4.2-4_i386.deb
koffice-doc-html_1.4.2-4_all.deb
  to pool/main/k/koffice/koffice-doc-html_1.4.2-4_all.deb
koffice-libs_1.4.2-4_i386.deb
  to pool/main/k/koffice/koffice-libs_1.4.2-4_i386.deb
koffice_1.4.2-4.diff.gz
  to pool/main/k/koffice/koffice_1.4.2-4.diff.gz
koffice_1.4.2-4.dsc
  to pool/main/k/koffice/koffice_1.4.2-4.dsc
koffice_1.4.2-4_all.deb
  to pool/main/k/koffice/koffice_1.4.2-4_all.deb
koshell_1.4.2-4_i386.deb
  to pool/main/k/koffice/koshell_1.4.2-4_i386.deb
kpresenter_1.4.2-4_i386.deb
  to pool/main/k/koffice/kpresenter_1.4.2-4_i386.deb
krita_1.4.2-4_i386.deb
  to pool/main/k/koffice/krita_1.4.2-4_i386.deb
kspread_1.4.2-4_i386.deb
  to pool/main/k/koffice/kspread_1.4.2-4_i386.deb
kugar_1.4.2-4_i386.deb
  to pool/main/k/koffice/kugar_1.4.2-4_i386.deb
kword_1.4.2-4_i386.deb
  to pool/main/k/koffice/kword_1.4.2-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 342294@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Isaac Clerencia <isaac@debian.org> (supplier of updated koffice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Dec 2005 11:55:03 +0100
Source: koffice
Binary: koffice-data kspread kivio koffice kword krita kugar kchart karbon kpresenter koffice-dev koffice-doc-html kformula koffice-libs kivio-data koshell
Architecture: source all i386
Version: 1:1.4.2-4
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Isaac Clerencia <isaac@debian.org>
Description: 
 karbon     - a vector graphics application for the KDE Office Suite
 kchart     - a chart drawing program for the KDE Office Suite
 kformula   - a formula editor for the KDE Office Suite
 kivio      - a flowcharting program for the KDE Office Suite
 kivio-data - data files for Kivio flowcharting program
 koffice    - KDE Office Suite
 koffice-data - common shared data for the KDE Office Suite
 koffice-dev - common libraries for KOffice (development files)
 koffice-doc-html - KDE Office Suite documentation in HTML format
 koffice-libs - common libraries and binaries for the KDE Office Suite
 koshell    - the KDE Office Suite workspace
 kpresenter - a presentation program for the KDE Office Suite
 krita      - a pixel-based image manipulation program for the KDE Office Suite
 kspread    - a spreadsheet for the KDE Office Suite
 kugar      - a business report maker for the KDE Office Suite
 kword      - a word processor for the KDE Office Suite
Closes: 342294 342888
Changes: 
 koffice (1:1.4.2-4) unstable; urgency=low
 .
   * koffice branch pull, fixes security bug in included xpdf code,
     closes: #342294
   * set LIBWV_LIBS directly to -lwv2 instead of relying on wv2-config --libs,
     it removes superflous Depends: libgsf in kword, closes: #342888
Files: 
 2b6f6f5e28a5d8fae5a66bbbea5d5602 1137 kde optional koffice_1.4.2-4.dsc
 8d082f80ec8067a87377684e14ef9834 2478730 kde optional koffice_1.4.2-4.diff.gz
 06c688a95195dddbabeed5057af06664 22312 kde optional koffice_1.4.2-4_all.deb
 60edbbc05474004223ca789ed021ac20 317986 doc optional koffice-doc-html_1.4.2-4_all.deb
 67bd8d43d4fe0d1511357614b6be8dec 634290 graphics optional kivio-data_1.4.2-4_all.deb
 c3c1c94d67a678e40441c1c43f478973 952366 libs optional koffice-data_1.4.2-4_all.deb
 01ddd0001d511224b63cba03addcbd45 819052 graphics optional karbon_1.4.2-4_i386.deb
 80b823b2f1e2246bd5e1e881e1ec8404 1354242 kde optional kchart_1.4.2-4_i386.deb
 5b5ca54d084d9a5effa4d0c4681483a3 700058 kde optional kformula_1.4.2-4_i386.deb
 46c7ae0051d47fbccf1e1008815fcfcb 546310 graphics optional kivio_1.4.2-4_i386.deb
 3b869a3e592c29cecf08355a79ceca39 105190 kde optional koshell_1.4.2-4_i386.deb
 49d8a5d551057fa5b5b8bc3e213a405c 2794714 kde optional kpresenter_1.4.2-4_i386.deb
 b0a285cd130acf7cf8038384d554e644 3001352 kde optional krita_1.4.2-4_i386.deb
 36089b417be7d1951c9f85aa381b2246 2083994 kde optional kspread_1.4.2-4_i386.deb
 1a7fbe0b8e4afce7a0d3e2690cd6e781 487004 kde optional kugar_1.4.2-4_i386.deb
 2fb210a377bbd558b7806726decf5dad 5493572 kde optional kword_1.4.2-4_i386.deb
 29b2babe1fc6d91ad9e7ca7704a0ce56 2076934 libs optional koffice-libs_1.4.2-4_i386.deb
 fb3cc6202767c1afb7fe1a7e560df0ca 172042 libdevel optional koffice-dev_1.4.2-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Signed by Isaac Clerencia <isaac@warp.es>

iD8DBQFDn9yzQET2GFTmct4RAsJiAJ4/gzez+eqOVzDwHgu7KhNYuukfLQCfTnsO
fUEQbNb9cfhqTI3SN5xzCMw=
=YEFq
-----END PGP SIGNATURE-----
Reply to: