Your message dated Mon, 12 Nov 2007 05:22:12 +0000 with message-id <E1IrRkS-0000TV-DB@ries.debian.org> and subject line Bug#450630: fixed in kdegraphics 4:3.5.8-2 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: CVE-2007-4352, CVE-2007-5392, CVE-2007-5393 multiple vulnerabilities leading to arbitrary code execution
- From: Nico Golde <nion@debian.org>
- Date: Thu, 8 Nov 2007 18:29:22 +0100
- Message-id: <[🔎] 20071108172922.GA9986@ngolde.de>
Package: kdegraphics Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for poppler. CVE-2007-4352[0]: | Array index error in the DCTStream::readProgressiveDataUnit method in | xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote | attackers to trigger memory corruption and execute arbitrary code via | a crafted PDF file. CVE-2007-5392[1]: | Integer overflow in the DCTStream::reset method in | xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows | remote attackers to execute arbitrary code via a crafted PDF | file, resulting in a heap-based buffer overflow. CVE-2007-5393[2]: | Heap-based buffer overflow in the CCITTFaxStream::lookChar | method in xpdf/Stream.cc in Xpdf 3.02 with | xpdf-3.02pl1.patch allows remote attackers to execute | arbitrary code via a PDF file that contains a crafted | CCITTFaxDecode filter. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393 Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgpnZ3u8kfsuZ.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 450630-close@bugs.debian.org
- Subject: Bug#450630: fixed in kdegraphics 4:3.5.8-2
- From: Ana Beatriz Guerrero Lopez <ana@debian.org>
- Date: Mon, 12 Nov 2007 05:22:12 +0000
- Message-id: <E1IrRkS-0000TV-DB@ries.debian.org>
Source: kdegraphics Source-Version: 4:3.5.8-2 We believe that the bug you reported is fixed in the latest version of kdegraphics, which is due to be installed in the Debian FTP archive: kamera_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kamera_3.5.8-2_amd64.deb kcoloredit_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kcoloredit_3.5.8-2_amd64.deb kdegraphics-dbg_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kdegraphics-dbg_3.5.8-2_amd64.deb kdegraphics-dev_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kdegraphics-dev_3.5.8-2_amd64.deb kdegraphics-doc-html_3.5.8-2_all.deb to pool/main/k/kdegraphics/kdegraphics-doc-html_3.5.8-2_all.deb kdegraphics-kfile-plugins_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kdegraphics-kfile-plugins_3.5.8-2_amd64.deb kdegraphics_3.5.8-2.diff.gz to pool/main/k/kdegraphics/kdegraphics_3.5.8-2.diff.gz kdegraphics_3.5.8-2.dsc to pool/main/k/kdegraphics/kdegraphics_3.5.8-2.dsc kdegraphics_3.5.8-2_all.deb to pool/main/k/kdegraphics/kdegraphics_3.5.8-2_all.deb kdvi_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kdvi_3.5.8-2_amd64.deb kfax_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kfax_3.5.8-2_amd64.deb kfaxview_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kfaxview_3.5.8-2_amd64.deb kgamma_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kgamma_3.5.8-2_amd64.deb kghostview_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kghostview_3.5.8-2_amd64.deb kiconedit_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kiconedit_3.5.8-2_amd64.deb kmrml_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kmrml_3.5.8-2_amd64.deb kolourpaint_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kolourpaint_3.5.8-2_amd64.deb kooka_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kooka_3.5.8-2_amd64.deb kpdf_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kpdf_3.5.8-2_amd64.deb kpovmodeler_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kpovmodeler_3.5.8-2_amd64.deb kruler_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kruler_3.5.8-2_amd64.deb ksnapshot_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/ksnapshot_3.5.8-2_amd64.deb ksvg_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/ksvg_3.5.8-2_amd64.deb kuickshow_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kuickshow_3.5.8-2_amd64.deb kview_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kview_3.5.8-2_amd64.deb kviewshell_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/kviewshell_3.5.8-2_amd64.deb libkscan-dev_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/libkscan-dev_3.5.8-2_amd64.deb libkscan1_3.5.8-2_amd64.deb to pool/main/k/kdegraphics/libkscan1_3.5.8-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 450630@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ana Beatriz Guerrero Lopez <ana@debian.org> (supplier of updated kdegraphics package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 11 Nov 2007 19:50:13 +0100 Source: kdegraphics Binary: kdegraphics-kfile-plugins ksnapshot kviewshell kghostview libkscan-dev kruler kcoloredit kamera kdegraphics-dev libkscan1 kdegraphics-dbg kview kdegraphics-doc-html kpdf ksvg kdvi kiconedit kfax kfaxview kuickshow kooka kdegraphics kolourpaint kmrml kgamma kpovmodeler Architecture: source amd64 all Version: 4:3.5.8-2 Distribution: unstable Urgency: low Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Ana Beatriz Guerrero Lopez <ana@debian.org> Description: kamera - digital camera io_slave for Konqueror kcoloredit - a color palette editor and color picker for KDE kdegraphics - graphics apps from the official KDE release kdegraphics-dbg - debugging symbols for kdegraphics kdegraphics-dev - development files for the KDE graphics module kdegraphics-doc-html - KDE graphics documentation in HTML format kdegraphics-kfile-plugins - KDE metainfo plugins for graphic files kdvi - dvi viewer for KDE kfax - G3/G4 fax viewer for KDE kfaxview - G3/G4 fax viewer for KDE using kviewshell kgamma - gamma correction module for the KDE Control Center kghostview - PostScript viewer for KDE kiconedit - an icon editor for KDE kmrml - a Konqueror plugin for searching pictures kolourpaint - a simple paint program for KDE kooka - scanner program for KDE kpdf - PDF viewer for KDE kpovmodeler - a graphical editor for povray scenes kruler - a screen ruler and color measurement tool for KDE ksnapshot - screenshot utility for KDE ksvg - SVG viewer for KDE kuickshow - KDE image/slideshow viewer kview - simple image viewer/converter for KDE kviewshell - generic framework for viewer applications in KDE libkscan-dev - development files for the KDE scanner library libkscan1 - scanner library for KDE Closes: 448254 450630 Changes: kdegraphics (4:3.5.8-2) unstable; urgency=low . * Patch to multiple xpdf based vulnerabilities. (Closes: #450630) CVE-2007-4352, CVE-2007-5392, CVE-2007-5393. * Make kdegrahpics binNMU safe. Thanks Lior! (Closes: #448254) Files: 3c18542dfb6f03f60c59614b51b2770d 1464 kde optional kdegraphics_3.5.8-2.dsc a249fef3fe0dfccb0819943cd592fc77 468097 kde optional kdegraphics_3.5.8-2.diff.gz 4c9d6485d529779b72354d0af502b6ba 12340 kde optional kdegraphics_3.5.8-2_all.deb b80420cf057f18758b231293f873339d 150356 doc optional kdegraphics-doc-html_3.5.8-2_all.deb e0da3d034bbda42937c7417231556a56 88530 graphics optional kamera_3.5.8-2_amd64.deb b090e770f35151561299e279693bb952 105104 graphics optional kcoloredit_3.5.8-2_amd64.deb 4a4bc974cb0693d57625555e4ce935fa 94844 devel optional kdegraphics-dev_3.5.8-2_amd64.deb 196dfd3ab018f2536310a965a53debb1 301020 kde optional kdegraphics-kfile-plugins_3.5.8-2_amd64.deb 99289abd746ded7ff9b9c7a746735cd2 539354 graphics optional kdvi_3.5.8-2_amd64.deb 6f7d392006a131edb165b163e1585f83 144510 graphics optional kfax_3.5.8-2_amd64.deb 4f11496f3527cfcf712ee00fdfc1991f 108902 graphics optional kfaxview_3.5.8-2_amd64.deb 9b556db7f5c8693162020e311f2bd710 74848 graphics optional kgamma_3.5.8-2_amd64.deb 8d684a509db573c6c3a1434cdae43514 241750 graphics optional kghostview_3.5.8-2_amd64.deb 33ad43e9aa949146aa062c2169e08616 179636 graphics optional kiconedit_3.5.8-2_amd64.deb 466bbeab496ec4e29fa9c2735e6fb884 242908 kde optional kmrml_3.5.8-2_amd64.deb fbb5593aaf041408832b780dda15998c 1100234 graphics optional kolourpaint_3.5.8-2_amd64.deb 82a90b1bedee16e2708acb81c99b31f5 766418 graphics optional kooka_3.5.8-2_amd64.deb a398fa8b784b2ebfffb7d7e2042aa865 882154 graphics optional kpdf_3.5.8-2_amd64.deb 0f8b34ce284193a095ba2fe41e220fad 2342618 graphics optional kpovmodeler_3.5.8-2_amd64.deb 75ea24d0527851a66356dd838f1f0480 62724 graphics optional kruler_3.5.8-2_amd64.deb 25e08df76d239f7622cb084c5e33e714 170678 graphics optional ksnapshot_3.5.8-2_amd64.deb 6190a062c1e18d5ab2b12421aa1f2be3 1290232 graphics optional ksvg_3.5.8-2_amd64.deb 9476b7d49cb50c28708d97aedb400f3d 496586 graphics optional kuickshow_3.5.8-2_amd64.deb 11f17f4d164a4103e13c269d3ee1a5b1 421532 graphics optional kview_3.5.8-2_amd64.deb 7c11edfb75fdaee475c9277eb9a84178 851830 graphics optional kviewshell_3.5.8-2_amd64.deb 51a561a89f71f50ab51e9f5168dddd3b 12162 libdevel optional libkscan-dev_3.5.8-2_amd64.deb 327d4adaf33aafcc464c61acd2836dfb 141556 libs optional libkscan1_3.5.8-2_amd64.deb c771659a1c344f6e92bb7261621de4a6 25955554 libdevel extra kdegraphics-dbg_3.5.8-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Signed by Ana Guerrero iD8DBQFHN2MMn3j4POjENGERApXxAJ99fWsKPANkx7NM5ztJ7c+4Xkeq6QCfRLIz FKb9bExz/BKjWTGLye8CDA0= =ZkOF -----END PGP SIGNATURE-----
--- End Message ---