Your message dated Thu, 14 Apr 2005 19:02:26 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#303238: fixed in kdegraphics 4:3.3.2-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Apr 2005 15:02:44 +0000
>From [EMAIL PROTECTED] Tue Apr 05 08:02:44 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DIpZj-0001vA-00; Tue, 05 Apr 2005 08:02:43 -0700
Received: from wlan-client-005.informatik.uni-bremen.de ([134.102.116.6]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DIpZh-0007S4-6x
for [EMAIL PROTECTED]; Tue, 05 Apr 2005 17:02:41 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DIpZf-00048q-GD; Tue, 05 Apr 2005 17:02:39 +0200
Content-Type: multipart/mixed; boundary="===============1445931984=="
MIME-Version: 1.0
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: kpdf fix for CAN-2005-0064 (bug 291251) was incomplete
X-Mailer: reportbug 3.9
Date: Tue, 05 Apr 2005 17:02:39 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.116.6
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============1445931984==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: kpdf
Version: 4:3.3.2-1
Severity: grave
Tags: security patch
Justification: user security hole
Dear KDE maintainers,
the security fix for CAN-2005-0064 was derived from xpdf 3.00-12, which
in fact turned out to be incomplete wrt to a missing range check in XRef.cc.
Attached you can find a patch that adds the missing range verification, as
it has been done for xpdf 3.00-13.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
--===============1445931984==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="kpdf-CAN-2005-0064-missing-check.diff"
diff -Naur kdegraphics-3.3.2.orig/kpdf/xpdf/XRef.cc
kdegraphics-3.3.2/kpdf/xpdf/XRef.cc
--- kdegraphics-3.3.2.orig/kpdf/xpdf/XRef.cc 2004-11-28 14:30:57.000000000
+0100
+++ kdegraphics-3.3.2/kpdf/xpdf/XRef.cc 2005-04-05 16:05:04.000000000 +0200
@@ -820,6 +820,9 @@
} else {
keyLength = 5;
}
+ if (keyLength > 16) {
+ keyLength = 16;
+ }
permFlags = permissions.getInt();
if (encVersion >= 1 && encVersion <= 2 &&
encRevision >= 2 && encRevision <= 3) {
--===============1445931984==--
---------------------------------------
Received: (at 303238-close) by bugs.debian.org; 14 Apr 2005 23:10:13 +0000
>From [EMAIL PROTECTED] Thu Apr 14 16:10:13 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DMDTR-0000WB-00; Thu, 14 Apr 2005 16:10:13 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DMDLu-0004MD-00; Thu, 14 Apr 2005 19:02:26 -0400
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#303238: fixed in kdegraphics 4:3.3.2-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 14 Apr 2005 19:02:26 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: kdegraphics
Source-Version: 4:3.3.2-2
We believe that the bug you reported is fixed in the latest version of
kdegraphics, which is due to be installed in the Debian FTP archive:
kamera_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kamera_3.3.2-2_i386.deb
kcoloredit_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kcoloredit_3.3.2-2_i386.deb
kdegraphics-dev_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kdegraphics-dev_3.3.2-2_i386.deb
kdegraphics-kfile-plugins_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kdegraphics-kfile-plugins_3.3.2-2_i386.deb
kdegraphics_3.3.2-2.diff.gz
to pool/main/k/kdegraphics/kdegraphics_3.3.2-2.diff.gz
kdegraphics_3.3.2-2.dsc
to pool/main/k/kdegraphics/kdegraphics_3.3.2-2.dsc
kdegraphics_3.3.2-2_all.deb
to pool/main/k/kdegraphics/kdegraphics_3.3.2-2_all.deb
kdvi_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kdvi_3.3.2-2_i386.deb
kfax_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kfax_3.3.2-2_i386.deb
kgamma_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kgamma_3.3.2-2_i386.deb
kghostview_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kghostview_3.3.2-2_i386.deb
kiconedit_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kiconedit_3.3.2-2_i386.deb
kmrml_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kmrml_3.3.2-2_i386.deb
kolourpaint_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kolourpaint_3.3.2-2_i386.deb
kooka_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kooka_3.3.2-2_i386.deb
kpdf_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kpdf_3.3.2-2_i386.deb
kpovmodeler_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kpovmodeler_3.3.2-2_i386.deb
kruler_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kruler_3.3.2-2_i386.deb
ksnapshot_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/ksnapshot_3.3.2-2_i386.deb
ksvg_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/ksvg_3.3.2-2_i386.deb
kuickshow_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kuickshow_3.3.2-2_i386.deb
kview_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kview_3.3.2-2_i386.deb
kviewshell_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/kviewshell_3.3.2-2_i386.deb
libkscan-dev_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/libkscan-dev_3.3.2-2_i386.deb
libkscan1_3.3.2-2_i386.deb
to pool/main/k/kdegraphics/libkscan1_3.3.2-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated
kdegraphics package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 14 Apr 2005 22:55:13 +0200
Source: kdegraphics
Binary: kdegraphics-kfile-plugins ksnapshot kviewshell kghostview libkscan-dev
kruler kcoloredit kamera kdegraphics-dev libkscan1 kview kpdf ksvg kdvi
kiconedit kfax kuickshow kooka kdegraphics kolourpaint kmrml kgamma kpovmodeler
Architecture: source i386 all
Version: 4:3.3.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description:
kamera - digital camera io_slave for Konquerer
kcoloredit - An editor for palette files
kdegraphics - KDE Graphics metapackage
kdegraphics-dev - KDE graphics (development files)
kdegraphics-kfile-plugins - provide meta information for graphic files
kdvi - KDE dvi viewer
kfax - KDE G3/G4 Fax Viewer
kgamma - Gamma correction KControl module
kghostview - PostScript viewer for KDE
kiconedit - An icon editor for creating KDE icons
kmrml - A Konqueror plugin for searching pictures
kolourpaint - A Simple Paint Program for KDE
kooka - Scanner program for KDE
kpdf - PDF viewer for KDE
kpovmodeler - A graphical editor for povray scenes
kruler - a screen ruler and color measurement tool for KDE
ksnapshot - Screenshot application for KDE
ksvg - SVG viewer for KDE
kuickshow - KDE image/slideshow viewer
kview - KDE simple image viewer/converter
kviewshell - KDE generic framework for viewer applications
libkscan-dev - Scanner library for KDE (development files)
libkscan1 - Scanner library for KDE
Closes: 303238
Changes:
kdegraphics (4:3.3.2-2) unstable; urgency=medium
.
+++ Changes by Christopher Martin:
.
* KDE_3_3_BRANCH update. This includes a small but important patch to
kpdf's xpdf code. Fully resolves CAN-2005-0064, a buffer overflow
vulnerability. Urgency=medium as this is release critical.
(Closes: #303238)
.
* Add GFDL to debian/copyright.
Files:
e43b861e179095f2efb8ff769bbfb711 1356 kde optional kdegraphics_3.3.2-2.dsc
80732407671f5f27670f8915f42cc91f 156178 kde optional
kdegraphics_3.3.2-2.diff.gz
f1e4294260457fb8f0ebd1e5bb53aa99 85664 graphics optional
kamera_3.3.2-2_i386.deb
f82a313b0dab84b8ecd09dda1fac3188 95180 graphics optional
kcoloredit_3.3.2-2_i386.deb
09115f0f74decd11d359e6d0bf9b0b11 64744 devel optional
kdegraphics-dev_3.3.2-2_i386.deb
858f8fcee168fee325c3757241404a17 221746 kde optional
kdegraphics-kfile-plugins_3.3.2-2_i386.deb
1cb67e4c11070873f2b3526634a604a7 483692 graphics optional kdvi_3.3.2-2_i386.deb
994b81a4dc4718c3849671d677702daa 140230 graphics optional kfax_3.3.2-2_i386.deb
54afa2480c3e3ad0db3e896b0c8083c1 85624 graphics optional
kgamma_3.3.2-2_i386.deb
b3a74605696aa21c0b9c1b1e28af36d7 227202 graphics optional
kghostview_3.3.2-2_i386.deb
aad3108267c40fc4ccf86a498376fe3a 135642 graphics optional
kiconedit_3.3.2-2_i386.deb
cda3b58761d8f3fe08de2f094ab9dd22 221502 kde optional kmrml_3.3.2-2_i386.deb
25b1522be81d2a7e3c0c1211a18e2330 748084 graphics optional
kolourpaint_3.3.2-2_i386.deb
9fb3ed0a32513b1bcafe3efbdd792799 750344 graphics optional
kooka_3.3.2-2_i386.deb
9fe702afe9d92862f21e8c33a195d64c 451142 graphics optional kpdf_3.3.2-2_i386.deb
fb72732f76bcc301f0ef40fa6223ef87 2205442 graphics optional
kpovmodeler_3.3.2-2_i386.deb
9673baccc068647fa2bbb918e5144ba6 62286 graphics optional
kruler_3.3.2-2_i386.deb
c6aa6572ecb97b4b6757821ef35d41eb 96980 graphics optional
ksnapshot_3.3.2-2_i386.deb
7081a362992ce3a14d237184571add71 1220564 graphics optional
ksvg_3.3.2-2_i386.deb
7bfef4fb75e493fb3f48573786550edb 471774 graphics optional
kuickshow_3.3.2-2_i386.deb
eea99db10adf8c0fb726287fd871b59e 643232 graphics optional
kview_3.3.2-2_i386.deb
370a880de825ef7abff8ec6645b62e15 166666 graphics optional
kviewshell_3.3.2-2_i386.deb
66dbbe04d3dfe27d2bdb47a3253f3fbc 32864 libdevel optional
libkscan-dev_3.3.2-2_i386.deb
d3ce9ae480c7153bc045753ddfa7375d 134272 libs optional
libkscan1_3.3.2-2_i386.deb
c40eb95d5b45489ae5cea7a230f704ca 17360 kde optional kdegraphics_3.3.2-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Signed by Isaac Clerencia <[EMAIL PROTECTED]>
iD8DBQFCXuouQET2GFTmct4RAh/2AJ9+oVoxUTnu4isfi8nSp1y7oS/TNgCcD0D5
Hk2NTa7pVvV5O4Bd3GVGeRM=
=Su8j
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
