Bug#478283: marked as done (kde4libs: CVE-2008-1670 heap based buffer overflow via specially encoded image)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 30 Apr 2008 19:17:21 +0000
with message-id <E1JrHnt-000536-Fg@ries.debian.org>
and subject line Bug#478283: fixed in kde4libs 4:4.0.72-1
has caused the Debian Bug report #478283,
regarding kde4libs: CVE-2008-1670 heap based buffer overflow via specially encoded image
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
478283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478283
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: kde4libs: CVE-2008-1670 heap based buffer overflow via specially encoded image
• From: Nico Golde <nion@debian.org>
• Date: Mon, 28 Apr 2008 17:14:01 +0200
• Message-id: <[🔎] 20080428151401.GA16216@ngolde.de>

Package: kde4libs
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kde4libs.


CVE-2008-1670[0]:
| The new progressive PNG Image loader in KHTML of KDE 4.0 and newer
| can be tricked into overrunning a heap allocated memory buffer
| by loading a specially encoded image.

Note, the mitre description is still on status RESERVED, use the upstream advisory as reference for now:
http://www.kde.org/info/security/advisory-20080426-1.txt

Patch:
ftp://ftp.kde.org/pub/kde/security_patches/post-kde-4.0.3-khtml.diff

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1670
    http://security-tracker.debian.net/tracker/CVE-2008-1670

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpATvRKI0HTc.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 478283-close@bugs.debian.org
• Subject: Bug#478283: fixed in kde4libs 4:4.0.72-1
• From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
• Date: Wed, 30 Apr 2008 19:17:21 +0000
• Message-id: <E1JrHnt-000536-Fg@ries.debian.org>

Source: kde4libs
Source-Version: 4:4.0.72-1

We believe that the bug you reported is fixed in the latest version of
kde4libs, which is due to be installed in the Debian FTP archive:

kde4libs_4.0.72-1.diff.gz
  to pool/main/k/kde4libs/kde4libs_4.0.72-1.diff.gz
kde4libs_4.0.72-1.dsc
  to pool/main/k/kde4libs/kde4libs_4.0.72-1.dsc
kde4libs_4.0.72.orig.tar.gz
  to pool/main/k/kde4libs/kde4libs_4.0.72.orig.tar.gz
kdelibs-bin_4.0.72-1_amd64.deb
  to pool/main/k/kde4libs/kdelibs-bin_4.0.72-1_amd64.deb
kdelibs-bin_4.0.72-1_i386.deb
  to pool/main/k/kde4libs/kdelibs-bin_4.0.72-1_i386.deb
kdelibs5-data_4.0.72-1_all.deb
  to pool/main/k/kde4libs/kdelibs5-data_4.0.72-1_all.deb
kdelibs5-dbg_4.0.72-1_amd64.deb
  to pool/main/k/kde4libs/kdelibs5-dbg_4.0.72-1_amd64.deb
kdelibs5-dbg_4.0.72-1_i386.deb
  to pool/main/k/kde4libs/kdelibs5-dbg_4.0.72-1_i386.deb
kdelibs5-dev_4.0.72-1_amd64.deb
  to pool/main/k/kde4libs/kdelibs5-dev_4.0.72-1_amd64.deb
kdelibs5-dev_4.0.72-1_i386.deb
  to pool/main/k/kde4libs/kdelibs5-dev_4.0.72-1_i386.deb
kdelibs5-doc_4.0.72-1_all.deb
  to pool/main/k/kde4libs/kdelibs5-doc_4.0.72-1_all.deb
kdelibs5_4.0.72-1_amd64.deb
  to pool/main/k/kde4libs/kdelibs5_4.0.72-1_amd64.deb
kdelibs5_4.0.72-1_i386.deb
  to pool/main/k/kde4libs/kdelibs5_4.0.72-1_i386.deb
libphonon-dev_4.0.72-1_amd64.deb
  to pool/main/k/kde4libs/libphonon-dev_4.0.72-1_amd64.deb
libphonon-dev_4.0.72-1_i386.deb
  to pool/main/k/kde4libs/libphonon-dev_4.0.72-1_i386.deb
libphonon4_4.0.72-1_amd64.deb
  to pool/main/k/kde4libs/libphonon4_4.0.72-1_amd64.deb
libphonon4_4.0.72-1_i386.deb
  to pool/main/k/kde4libs/libphonon4_4.0.72-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 478283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kde4libs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 30 Apr 2008 18:03:58 +0200
Source: kde4libs
Binary: kdelibs5 kdelibs5-data kdelibs5-dev kdelibs5-doc kdelibs-bin kdelibs5-dbg libphonon-dev libphonon4
Architecture: all amd64 i386 source 
Version: 4:4.0.72-1
Distribution: experimental
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Closes: 478283
Description:
 kdelibs5   - core libraries for all KDE 4 applications
 kdelibs5-data - core shared data for all KDE 4 applications
 kdelibs5-dbg - debugging symbols for the KDE 4 libraries module
 kdelibs5-dev - development files for the KDE 4 core libraries
 kdelibs5-doc - developer documentation for the KDE 4 core libraries
 kdelibs-bin - executables for all KDE 4 core applications
 libphonon4 - Phonon multimedia framework for Qt 4
 libphonon-dev - development files for the Phonon multimedia framework
Changes:
 kde4libs (4:4.0.72-1) experimental; urgency=low
 .
   * New upstream snapshot. (r802761)
 .
   * Fixes heap based buffer overflow via specially encoded image.
     CVE-2008-1670 (Closes: #478283)
 .
   +++ Changes by Modestas Vainius:
 .
   * 98_link_interfaces_library.diff - major update:
     - Drop ${QT_QTNETWORK_LIBRARY}, ${QT_QTDBUS_LIBRARY}, ${QT_QTXML_LIBRARY}
       from kdecore LINK_INTERFACE_LIBRARIES leaving only ${QT_QTCORE_LIBRARY}.
       Those 3 libraries are no longer implicitly provided by any kdelibs
       target. This may cause a few link time FTBFSes.
     - Further update LINK_INTERFACE_LIBRARIES of other public libraries.
   * Export ${KDE4_THREADWEAVER_LIBRARIES} and an alias for
     ${KDE4_THREADWEAVER_LIBS} to restore compatibility.
   * Fix offsets in other patches so they apply cleanly.
   * Move usr/include/KDE/Phonon from kdelibs5-dev to libphonon-dev. Update
     *.install files and Replaces for libphonon-dev appropriately.
   * Enhance 19_findqt4_optional_x11.diff patch. Do not implicitly add
     -lphread.
   * Build depend on libenchant-dev.
   * Add 99_more_implicit_link_libs.diff which adds more implicit link
     interface libraries to diverge from upstream as least as possible.
     - In addition, kdecore implies QtDBus, QtXml, QtNetwork.
     - In addition, kdeui implies QtSvg.
     - In addition, kde3support and ktuils imply kparts.
     - In addition, kio implies solid.
   * Move dbus-1 XML interfaces to kdelibs5-dev.install.
Checksums-Sha1: 
 0392cc625891a8002c094e60b0110aaad2ad00e9 109606 libphonon-dev_4.0.72-1_i386.deb
 2e9f15e0357a49eaf47c6ab34758ba8430e85320 65965442 kdelibs5-dbg_4.0.72-1_i386.deb
 422e2b7bcd4269e6a832a9452dc4dc138d8eaa74 1418426 kdelibs5-dev_4.0.72-1_i386.deb
 43364cdba94cba5a8a1c2b8180eb303ec1464f05 384208 kdelibs-bin_4.0.72-1_i386.deb
 45c2954a288b591c0f8c5886dbebea4026ea2dc7 202008 libphonon4_4.0.72-1_amd64.deb
 4d3861dba111551a7a4a5641e6abd87547ce307d 1461052 kdelibs5-dev_4.0.72-1_amd64.deb
 4e0668a3ebe0be97299ef6b6b2fde62a8f42850d 63040 kdelibs5-doc_4.0.72-1_all.deb
 75949e41acf756317c920a0c8a9ad504d0712d34 2106 kde4libs_4.0.72-1.dsc
 5c47b766aaa6bb8aa5fcde017d1cd224504f114b 66778938 kdelibs5-dbg_4.0.72-1_amd64.deb
 5e6074c6fcc29aafc929fb9f8a1405c307a0295b 84398 kde4libs_4.0.72-1.diff.gz
 77ebd1ec705fa64b6832ec427e85b9368736e8e9 11356034 kde4libs_4.0.72.orig.tar.gz
 8378bdd99a8c87a377931d6ee3c56310a0837220 109588 libphonon-dev_4.0.72-1_amd64.deb
 95db54a3886ec3545dff6d2187ee9d36c18208a4 10186322 kdelibs5_4.0.72-1_amd64.deb
 9ed154cf719173a3083cbd5151f33b12348805c3 9513590 kdelibs5_4.0.72-1_i386.deb
 9fef12c2f1ea0e59d116d2efd6e8654c20c10100 186820 libphonon4_4.0.72-1_i386.deb
 d4a8edab3e85f9985f2b3084da03f7338cce58e6 3087114 kdelibs5-data_4.0.72-1_all.deb
 ea6828be12eb57ad6b402612ba5d79c95c594332 424186 kdelibs-bin_4.0.72-1_amd64.deb
Checksums-Sha256: 
 107754d49df2f9d867343b1dd427ee62c5dca4936e8a3e3e5f63a5ab5cfc84a4 384208 kdelibs-bin_4.0.72-1_i386.deb
 191a95fb193db3d99b9bcfcb9a37d75c4c49f9655edbf9b6cc977cca12aaab1b 1418426 kdelibs5-dev_4.0.72-1_i386.deb
 2599317480afb51f9105e2522a12587ba3120cc81ab581622040b92af2765925 202008 libphonon4_4.0.72-1_amd64.deb
 2cf1901e06ce19a8695a1cccec515da473942b73c0337567185b3c4b2e149dab 3087114 kdelibs5-data_4.0.72-1_all.deb
 33315dd0a7d8e76a999dc3d055075f6487d87b173b60c89ba01d80a332488aa5 109606 libphonon-dev_4.0.72-1_i386.deb
 5039b84f7b49a26fe775ca9520b8629228533612a479feaaf781c0f042f8f3cb 63040 kdelibs5-doc_4.0.72-1_all.deb
 636f5eb0d84cb96d304a287d659eef34abec024c69f8281c84c8d81ef1518a02 66778938 kdelibs5-dbg_4.0.72-1_amd64.deb
 9f1728b2548784cd2e8ac8b8eb3bdd40926c3044e1c9913a9a2e6e824714cc4d 10186322 kdelibs5_4.0.72-1_amd64.deb
 a4b135d168f2687e45cb2cf172790b72d495c4faad8834ae8554831bea9a00c5 84398 kde4libs_4.0.72-1.diff.gz
 a4d2b0d060e948ed9d1028fa2227b582df6ccb8c9f6d20993d93371be85bd9be 65965442 kdelibs5-dbg_4.0.72-1_i386.deb
 b0ab7832cb01b5aa474312237777c54ef8f5c97ac2593f7cb41ba2b9f0af889b 11356034 kde4libs_4.0.72.orig.tar.gz
 08109189a62d704466a0ae1ca819e3a53986dbc41f176ef95ac42dd0e4aa61ed 2106 kde4libs_4.0.72-1.dsc
 c5a3db8c134075bddf8b95fe5577aebc5d2046d52591cdb0e4b785302dab9b58 1461052 kdelibs5-dev_4.0.72-1_amd64.deb
 d76c9623899a1a01b1234b7d501b2818e14d31fc752089048d99385e1d36db4b 186820 libphonon4_4.0.72-1_i386.deb
 e78a7a866378bfbdbe0741376972765cd4af9d833a36c5939c75c89484dec1e3 9513590 kdelibs5_4.0.72-1_i386.deb
 f2deb41cd11e7f6da99cac89bfee8ab1b64a745f848299abb8bf7bcfa066e5a8 424186 kdelibs-bin_4.0.72-1_amd64.deb
 fe09a1e2409633f6a90603be5204f92d883dffcb2a58c41bcf35504835a1c524 109588 libphonon-dev_4.0.72-1_amd64.deb
Files: 
 14698c6c99c46a13e121a6ffd2fbe0eb 1461052 libdevel optional kdelibs5-dev_4.0.72-1_amd64.deb
 173a98e9b836e8747ac43c4eedd90ef9 1418426 libdevel optional kdelibs5-dev_4.0.72-1_i386.deb
 22774776ecd5038911917a6b6c06edae 384208 libs optional kdelibs-bin_4.0.72-1_i386.deb
 27983677567bdd7557141a8b46c43f65 65965442 libdevel extra kdelibs5-dbg_4.0.72-1_i386.deb
 298696d6b3047755a0301f9e989d54a1 109606 libdevel optional libphonon-dev_4.0.72-1_i386.deb
 3cb10d33a35d8be39f5a35fd9a0c2918 84398 libs optional kde4libs_4.0.72-1.diff.gz
 467589ce8a7965baaefce0bb8935789b 186820 libs optional libphonon4_4.0.72-1_i386.deb
 47476476ead14d3107b4d126fbf60764 10186322 libs optional kdelibs5_4.0.72-1_amd64.deb
 5f166a9e388523424264731bb9ed05ae 109588 libdevel optional libphonon-dev_4.0.72-1_amd64.deb
 73971f4c65ef061320939b1def3b6e53 424186 libs optional kdelibs-bin_4.0.72-1_amd64.deb
 7ed2f5a53b01442752777933135de10c 11356034 libs optional kde4libs_4.0.72.orig.tar.gz
 22d868d853cef8eeed925c5be387b0a3 2106 libs optional kde4libs_4.0.72-1.dsc
 d6d639ddd2c24d89c3017f5b59671484 66778938 libdevel extra kdelibs5-dbg_4.0.72-1_amd64.deb
 db647acfdded2cce4d07c85e7da3e6aa 9513590 libs optional kdelibs5_4.0.72-1_i386.deb
 de2965222da6d3bdd7fa5adc763310cf 202008 libs optional libphonon4_4.0.72-1_amd64.deb
 e1055c78d3f6f05703f6008665f5ddde 3087114 libs optional kdelibs5-data_4.0.72-1_all.deb
 e771f3916d17dcb3f8e2c986c91b5582 63040 doc optional kdelibs5-doc_4.0.72-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero

iD8DBQFIGMOOn3j4POjENGERAp/eAJ9S1WWLumLeicNFYy+E03ghmtCG5gCffL39
Be3zZfWgWDqp2m1Diwmbtbk=
=pyhr
-----END PGP SIGNATURE-----

--- End Message ---