Your message dated Wed, 30 Apr 2008 19:17:21 +0000 with message-id <E1JrHnt-000536-Fg@ries.debian.org> and subject line Bug#478283: fixed in kde4libs 4:4.0.72-1 has caused the Debian Bug report #478283, regarding kde4libs: CVE-2008-1670 heap based buffer overflow via specially encoded image to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 478283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478283 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: kde4libs: CVE-2008-1670 heap based buffer overflow via specially encoded image
- From: Nico Golde <nion@debian.org>
- Date: Mon, 28 Apr 2008 17:14:01 +0200
- Message-id: <[🔎] 20080428151401.GA16216@ngolde.de>
Package: kde4libs Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for kde4libs. CVE-2008-1670[0]: | The new progressive PNG Image loader in KHTML of KDE 4.0 and newer | can be tricked into overrunning a heap allocated memory buffer | by loading a specially encoded image. Note, the mitre description is still on status RESERVED, use the upstream advisory as reference for now: http://www.kde.org/info/security/advisory-20080426-1.txt Patch: ftp://ftp.kde.org/pub/kde/security_patches/post-kde-4.0.3-khtml.diff If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1670 http://security-tracker.debian.net/tracker/CVE-2008-1670 -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgpATvRKI0HTc.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 478283-close@bugs.debian.org
- Subject: Bug#478283: fixed in kde4libs 4:4.0.72-1
- From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
- Date: Wed, 30 Apr 2008 19:17:21 +0000
- Message-id: <E1JrHnt-000536-Fg@ries.debian.org>
Source: kde4libs Source-Version: 4:4.0.72-1 We believe that the bug you reported is fixed in the latest version of kde4libs, which is due to be installed in the Debian FTP archive: kde4libs_4.0.72-1.diff.gz to pool/main/k/kde4libs/kde4libs_4.0.72-1.diff.gz kde4libs_4.0.72-1.dsc to pool/main/k/kde4libs/kde4libs_4.0.72-1.dsc kde4libs_4.0.72.orig.tar.gz to pool/main/k/kde4libs/kde4libs_4.0.72.orig.tar.gz kdelibs-bin_4.0.72-1_amd64.deb to pool/main/k/kde4libs/kdelibs-bin_4.0.72-1_amd64.deb kdelibs-bin_4.0.72-1_i386.deb to pool/main/k/kde4libs/kdelibs-bin_4.0.72-1_i386.deb kdelibs5-data_4.0.72-1_all.deb to pool/main/k/kde4libs/kdelibs5-data_4.0.72-1_all.deb kdelibs5-dbg_4.0.72-1_amd64.deb to pool/main/k/kde4libs/kdelibs5-dbg_4.0.72-1_amd64.deb kdelibs5-dbg_4.0.72-1_i386.deb to pool/main/k/kde4libs/kdelibs5-dbg_4.0.72-1_i386.deb kdelibs5-dev_4.0.72-1_amd64.deb to pool/main/k/kde4libs/kdelibs5-dev_4.0.72-1_amd64.deb kdelibs5-dev_4.0.72-1_i386.deb to pool/main/k/kde4libs/kdelibs5-dev_4.0.72-1_i386.deb kdelibs5-doc_4.0.72-1_all.deb to pool/main/k/kde4libs/kdelibs5-doc_4.0.72-1_all.deb kdelibs5_4.0.72-1_amd64.deb to pool/main/k/kde4libs/kdelibs5_4.0.72-1_amd64.deb kdelibs5_4.0.72-1_i386.deb to pool/main/k/kde4libs/kdelibs5_4.0.72-1_i386.deb libphonon-dev_4.0.72-1_amd64.deb to pool/main/k/kde4libs/libphonon-dev_4.0.72-1_amd64.deb libphonon-dev_4.0.72-1_i386.deb to pool/main/k/kde4libs/libphonon-dev_4.0.72-1_i386.deb libphonon4_4.0.72-1_amd64.deb to pool/main/k/kde4libs/libphonon4_4.0.72-1_amd64.deb libphonon4_4.0.72-1_i386.deb to pool/main/k/kde4libs/libphonon4_4.0.72-1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 478283@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kde4libs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 30 Apr 2008 18:03:58 +0200 Source: kde4libs Binary: kdelibs5 kdelibs5-data kdelibs5-dev kdelibs5-doc kdelibs-bin kdelibs5-dbg libphonon-dev libphonon4 Architecture: all amd64 i386 source Version: 4:4.0.72-1 Distribution: experimental Urgency: low Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Closes: 478283 Description: kdelibs5 - core libraries for all KDE 4 applications kdelibs5-data - core shared data for all KDE 4 applications kdelibs5-dbg - debugging symbols for the KDE 4 libraries module kdelibs5-dev - development files for the KDE 4 core libraries kdelibs5-doc - developer documentation for the KDE 4 core libraries kdelibs-bin - executables for all KDE 4 core applications libphonon4 - Phonon multimedia framework for Qt 4 libphonon-dev - development files for the Phonon multimedia framework Changes: kde4libs (4:4.0.72-1) experimental; urgency=low . * New upstream snapshot. (r802761) . * Fixes heap based buffer overflow via specially encoded image. CVE-2008-1670 (Closes: #478283) . +++ Changes by Modestas Vainius: . * 98_link_interfaces_library.diff - major update: - Drop ${QT_QTNETWORK_LIBRARY}, ${QT_QTDBUS_LIBRARY}, ${QT_QTXML_LIBRARY} from kdecore LINK_INTERFACE_LIBRARIES leaving only ${QT_QTCORE_LIBRARY}. Those 3 libraries are no longer implicitly provided by any kdelibs target. This may cause a few link time FTBFSes. - Further update LINK_INTERFACE_LIBRARIES of other public libraries. * Export ${KDE4_THREADWEAVER_LIBRARIES} and an alias for ${KDE4_THREADWEAVER_LIBS} to restore compatibility. * Fix offsets in other patches so they apply cleanly. * Move usr/include/KDE/Phonon from kdelibs5-dev to libphonon-dev. Update *.install files and Replaces for libphonon-dev appropriately. * Enhance 19_findqt4_optional_x11.diff patch. Do not implicitly add -lphread. * Build depend on libenchant-dev. * Add 99_more_implicit_link_libs.diff which adds more implicit link interface libraries to diverge from upstream as least as possible. - In addition, kdecore implies QtDBus, QtXml, QtNetwork. - In addition, kdeui implies QtSvg. - In addition, kde3support and ktuils imply kparts. - In addition, kio implies solid. * Move dbus-1 XML interfaces to kdelibs5-dev.install. Checksums-Sha1: 0392cc625891a8002c094e60b0110aaad2ad00e9 109606 libphonon-dev_4.0.72-1_i386.deb 2e9f15e0357a49eaf47c6ab34758ba8430e85320 65965442 kdelibs5-dbg_4.0.72-1_i386.deb 422e2b7bcd4269e6a832a9452dc4dc138d8eaa74 1418426 kdelibs5-dev_4.0.72-1_i386.deb 43364cdba94cba5a8a1c2b8180eb303ec1464f05 384208 kdelibs-bin_4.0.72-1_i386.deb 45c2954a288b591c0f8c5886dbebea4026ea2dc7 202008 libphonon4_4.0.72-1_amd64.deb 4d3861dba111551a7a4a5641e6abd87547ce307d 1461052 kdelibs5-dev_4.0.72-1_amd64.deb 4e0668a3ebe0be97299ef6b6b2fde62a8f42850d 63040 kdelibs5-doc_4.0.72-1_all.deb 75949e41acf756317c920a0c8a9ad504d0712d34 2106 kde4libs_4.0.72-1.dsc 5c47b766aaa6bb8aa5fcde017d1cd224504f114b 66778938 kdelibs5-dbg_4.0.72-1_amd64.deb 5e6074c6fcc29aafc929fb9f8a1405c307a0295b 84398 kde4libs_4.0.72-1.diff.gz 77ebd1ec705fa64b6832ec427e85b9368736e8e9 11356034 kde4libs_4.0.72.orig.tar.gz 8378bdd99a8c87a377931d6ee3c56310a0837220 109588 libphonon-dev_4.0.72-1_amd64.deb 95db54a3886ec3545dff6d2187ee9d36c18208a4 10186322 kdelibs5_4.0.72-1_amd64.deb 9ed154cf719173a3083cbd5151f33b12348805c3 9513590 kdelibs5_4.0.72-1_i386.deb 9fef12c2f1ea0e59d116d2efd6e8654c20c10100 186820 libphonon4_4.0.72-1_i386.deb d4a8edab3e85f9985f2b3084da03f7338cce58e6 3087114 kdelibs5-data_4.0.72-1_all.deb ea6828be12eb57ad6b402612ba5d79c95c594332 424186 kdelibs-bin_4.0.72-1_amd64.deb Checksums-Sha256: 107754d49df2f9d867343b1dd427ee62c5dca4936e8a3e3e5f63a5ab5cfc84a4 384208 kdelibs-bin_4.0.72-1_i386.deb 191a95fb193db3d99b9bcfcb9a37d75c4c49f9655edbf9b6cc977cca12aaab1b 1418426 kdelibs5-dev_4.0.72-1_i386.deb 2599317480afb51f9105e2522a12587ba3120cc81ab581622040b92af2765925 202008 libphonon4_4.0.72-1_amd64.deb 2cf1901e06ce19a8695a1cccec515da473942b73c0337567185b3c4b2e149dab 3087114 kdelibs5-data_4.0.72-1_all.deb 33315dd0a7d8e76a999dc3d055075f6487d87b173b60c89ba01d80a332488aa5 109606 libphonon-dev_4.0.72-1_i386.deb 5039b84f7b49a26fe775ca9520b8629228533612a479feaaf781c0f042f8f3cb 63040 kdelibs5-doc_4.0.72-1_all.deb 636f5eb0d84cb96d304a287d659eef34abec024c69f8281c84c8d81ef1518a02 66778938 kdelibs5-dbg_4.0.72-1_amd64.deb 9f1728b2548784cd2e8ac8b8eb3bdd40926c3044e1c9913a9a2e6e824714cc4d 10186322 kdelibs5_4.0.72-1_amd64.deb a4b135d168f2687e45cb2cf172790b72d495c4faad8834ae8554831bea9a00c5 84398 kde4libs_4.0.72-1.diff.gz a4d2b0d060e948ed9d1028fa2227b582df6ccb8c9f6d20993d93371be85bd9be 65965442 kdelibs5-dbg_4.0.72-1_i386.deb b0ab7832cb01b5aa474312237777c54ef8f5c97ac2593f7cb41ba2b9f0af889b 11356034 kde4libs_4.0.72.orig.tar.gz 08109189a62d704466a0ae1ca819e3a53986dbc41f176ef95ac42dd0e4aa61ed 2106 kde4libs_4.0.72-1.dsc c5a3db8c134075bddf8b95fe5577aebc5d2046d52591cdb0e4b785302dab9b58 1461052 kdelibs5-dev_4.0.72-1_amd64.deb d76c9623899a1a01b1234b7d501b2818e14d31fc752089048d99385e1d36db4b 186820 libphonon4_4.0.72-1_i386.deb e78a7a866378bfbdbe0741376972765cd4af9d833a36c5939c75c89484dec1e3 9513590 kdelibs5_4.0.72-1_i386.deb f2deb41cd11e7f6da99cac89bfee8ab1b64a745f848299abb8bf7bcfa066e5a8 424186 kdelibs-bin_4.0.72-1_amd64.deb fe09a1e2409633f6a90603be5204f92d883dffcb2a58c41bcf35504835a1c524 109588 libphonon-dev_4.0.72-1_amd64.deb Files: 14698c6c99c46a13e121a6ffd2fbe0eb 1461052 libdevel optional kdelibs5-dev_4.0.72-1_amd64.deb 173a98e9b836e8747ac43c4eedd90ef9 1418426 libdevel optional kdelibs5-dev_4.0.72-1_i386.deb 22774776ecd5038911917a6b6c06edae 384208 libs optional kdelibs-bin_4.0.72-1_i386.deb 27983677567bdd7557141a8b46c43f65 65965442 libdevel extra kdelibs5-dbg_4.0.72-1_i386.deb 298696d6b3047755a0301f9e989d54a1 109606 libdevel optional libphonon-dev_4.0.72-1_i386.deb 3cb10d33a35d8be39f5a35fd9a0c2918 84398 libs optional kde4libs_4.0.72-1.diff.gz 467589ce8a7965baaefce0bb8935789b 186820 libs optional libphonon4_4.0.72-1_i386.deb 47476476ead14d3107b4d126fbf60764 10186322 libs optional kdelibs5_4.0.72-1_amd64.deb 5f166a9e388523424264731bb9ed05ae 109588 libdevel optional libphonon-dev_4.0.72-1_amd64.deb 73971f4c65ef061320939b1def3b6e53 424186 libs optional kdelibs-bin_4.0.72-1_amd64.deb 7ed2f5a53b01442752777933135de10c 11356034 libs optional kde4libs_4.0.72.orig.tar.gz 22d868d853cef8eeed925c5be387b0a3 2106 libs optional kde4libs_4.0.72-1.dsc d6d639ddd2c24d89c3017f5b59671484 66778938 libdevel extra kdelibs5-dbg_4.0.72-1_amd64.deb db647acfdded2cce4d07c85e7da3e6aa 9513590 libs optional kdelibs5_4.0.72-1_i386.deb de2965222da6d3bdd7fa5adc763310cf 202008 libs optional libphonon4_4.0.72-1_amd64.deb e1055c78d3f6f05703f6008665f5ddde 3087114 libs optional kdelibs5-data_4.0.72-1_all.deb e771f3916d17dcb3f8e2c986c91b5582 63040 doc optional kdelibs5-doc_4.0.72-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Signed by Ana Guerrero iD8DBQFIGMOOn3j4POjENGERAp/eAJ9S1WWLumLeicNFYy+E03ghmtCG5gCffL39 Be3zZfWgWDqp2m1Diwmbtbk= =pyhr -----END PGP SIGNATURE-----
--- End Message ---