Your message dated Sat, 17 Nov 2007 15:02:15 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#450631: fixed in koffice 1:1.6.3-3+lenny1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: koffice
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xpdf and koffice includes this code.
CVE-2007-4352[0]:
| Array index error in the DCTStream::readProgressiveDataUnit method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote
| attackers to trigger memory corruption and execute arbitrary code via
| a crafted PDF file.
CVE-2007-5392[1]:
| Integer overflow in the DCTStream::reset method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows
| remote attackers to execute arbitrary code via a crafted PDF
| file, resulting in a heap-based buffer overflow.
CVE-2007-5393[2]:
| Heap-based buffer overflow in the CCITTFaxStream::lookChar
| method in xpdf/Stream.cc in Xpdf 3.02 with
| xpdf-3.02pl1.patch allows remote attackers to execute
| arbitrary code via a PDF file that contains a crafted
| CCITTFaxDecode filter.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpgcMlhbNvJK.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: koffice
Source-Version: 1:1.6.3-3+lenny1
We believe that the bug you reported is fixed in the latest version of
koffice, which is due to be installed in the Debian FTP archive:
karbon_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/karbon_1.6.3-3+lenny1_i386.deb
kchart_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kchart_1.6.3-3+lenny1_i386.deb
kexi_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kexi_1.6.3-3+lenny1_i386.deb
kformula_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kformula_1.6.3-3+lenny1_i386.deb
kivio-data_1.6.3-3+lenny1_all.deb
to pool/main/k/koffice/kivio-data_1.6.3-3+lenny1_all.deb
kivio_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kivio_1.6.3-3+lenny1_i386.deb
koffice-data_1.6.3-3+lenny1_all.deb
to pool/main/k/koffice/koffice-data_1.6.3-3+lenny1_all.deb
koffice-dbg_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/koffice-dbg_1.6.3-3+lenny1_i386.deb
koffice-dev_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/koffice-dev_1.6.3-3+lenny1_i386.deb
koffice-doc-html_1.6.3-3+lenny1_all.deb
to pool/main/k/koffice/koffice-doc-html_1.6.3-3+lenny1_all.deb
koffice-doc_1.6.3-3+lenny1_all.deb
to pool/main/k/koffice/koffice-doc_1.6.3-3+lenny1_all.deb
koffice-libs_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/koffice-libs_1.6.3-3+lenny1_i386.deb
koffice_1.6.3-3+lenny1.diff.gz
to pool/main/k/koffice/koffice_1.6.3-3+lenny1.diff.gz
koffice_1.6.3-3+lenny1.dsc
to pool/main/k/koffice/koffice_1.6.3-3+lenny1.dsc
koffice_1.6.3-3+lenny1_all.deb
to pool/main/k/koffice/koffice_1.6.3-3+lenny1_all.deb
koshell_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/koshell_1.6.3-3+lenny1_i386.deb
kplato_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kplato_1.6.3-3+lenny1_i386.deb
kpresenter-data_1.6.3-3+lenny1_all.deb
to pool/main/k/koffice/kpresenter-data_1.6.3-3+lenny1_all.deb
kpresenter_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kpresenter_1.6.3-3+lenny1_i386.deb
krita-data_1.6.3-3+lenny1_all.deb
to pool/main/k/koffice/krita-data_1.6.3-3+lenny1_all.deb
krita_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/krita_1.6.3-3+lenny1_i386.deb
kspread_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kspread_1.6.3-3+lenny1_i386.deb
kthesaurus_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kthesaurus_1.6.3-3+lenny1_i386.deb
kugar_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kugar_1.6.3-3+lenny1_i386.deb
kword-data_1.6.3-3+lenny1_all.deb
to pool/main/k/koffice/kword-data_1.6.3-3+lenny1_all.deb
kword_1.6.3-3+lenny1_i386.deb
to pool/main/k/koffice/kword_1.6.3-3+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated koffice package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 15 Nov 2007 22:22:08 +0100
Source: koffice
Binary: koffice-data kivio koffice kugar kchart karbon kpresenter koffice-dbg
kformula koffice-libs koshell kivio-data kspread kword koffice-doc krita
krita-data kexi koffice-dev kword-data kthesaurus koffice-doc-html kplato
kpresenter-data
Architecture: source i386 all
Version: 1:1.6.3-3+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
karbon - a vector graphics application for the KDE Office Suite
kchart - a chart drawing program for the KDE Office Suite
kexi - integrated database environment for the KDE Office Suite
kformula - a formula editor for the KDE Office Suite
kivio - a flowcharting program for the KDE Office Suite
kivio-data - data files for Kivio flowcharting program
koffice - KDE Office Suite
koffice-data - common shared data for the KDE Office Suite
koffice-dbg - debugging symbols for koffice
koffice-dev - common libraries for KOffice (development files)
koffice-doc - developer documentation for the KDE Office Suite
koffice-doc-html - KDE Office Suite documentation in HTML format
koffice-libs - common libraries and binaries for the KDE Office Suite
koshell - the KDE Office Suite workspace
kplato - an integrated project management and planning tool
kpresenter - a presentation program for the KDE Office Suite
kpresenter-data - data files for KPresenter presentation program
krita - a pixel-based image manipulation program for the KDE Office Suite
krita-data - data files for Krita painting program
kspread - a spreadsheet for the KDE Office Suite
kthesaurus - thesaurus for the KDE Office Suite
kugar - a business report maker for the KDE Office Suite
kword - a word processor for the KDE Office Suite
kword-data - data files for KWord word processor
Closes: 450631
Changes:
koffice (1:1.6.3-3+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by testing security team.
* Included koffice-1.6.3-xpdf2-CVE-2007-4352-5392-5393.diff to address the
following security issues (Closes: #450631)
- CVE-2007-5393 buffer overflow in the CCITTFaxStream::lookChar leading
to arbitrary code execution via a crafted pdf file.
- CVE-2007-5392 integer overflow in the DCTStream::reset resulting in a
heap based buffer overflow allows code execution.
- CVE-2007-4352 array index error in DCTStream::readProgressiveDataUnit
leads to memory corruption and possibly arbitrary code execution.
Files:
980a894b4b593319f00111cb11ef369d 1430 kde optional koffice_1.6.3-3+lenny1.dsc
f4c3a71fbb9c8f345b91d2d3bccb5299 1237374 kde optional
koffice_1.6.3-3+lenny1.diff.gz
5b3988f32dfa99f9854f5af674ce3324 17412 kde optional
koffice_1.6.3-3+lenny1_all.deb
0f55145a380a67db0b4221db78835649 42674402 doc optional
koffice-doc_1.6.3-3+lenny1_all.deb
c45209d0604e4e902b8f67e26f782da2 536446 doc optional
koffice-doc-html_1.6.3-3+lenny1_all.deb
ca1b5ab97a7f2479e51f01b5a5112f7a 689750 graphics optional
kivio-data_1.6.3-3+lenny1_all.deb
fc8cc406e8f9aaa469f6a31d72e4cbc3 1910508 kde optional
kpresenter-data_1.6.3-3+lenny1_all.deb
4fc22627b0d93ef22e100caec119267f 28335656 kde optional
krita-data_1.6.3-3+lenny1_all.deb
3a6a15baadab3d6e474cc668aca17a1c 1823580 kde optional
kword-data_1.6.3-3+lenny1_all.deb
24580119155c05404716ff1c2e73b52b 746636 libs optional
koffice-data_1.6.3-3+lenny1_all.deb
274997badf54c58f30d519e4c718dda9 981116 graphics optional
karbon_1.6.3-3+lenny1_i386.deb
b735e8db2608489d9edc8ad5818f44bd 1316652 kde optional
kchart_1.6.3-3+lenny1_i386.deb
d397a8f3fd0acaf66aefdbe2a40e4d04 3616972 kde optional
kexi_1.6.3-3+lenny1_i386.deb
27208290031076b07a393bd00d24b743 1028938 kde optional
kformula_1.6.3-3+lenny1_i386.deb
0d36be9515a11b7535a70a165d1751d2 559896 graphics optional
kivio_1.6.3-3+lenny1_i386.deb
748b00d67ba27edcc7e0a0fec2bc1e2c 185174 kde optional
koshell_1.6.3-3+lenny1_i386.deb
3f0197faea4513068cd0b98d8a562f5f 887268 kde optional
kplato_1.6.3-3+lenny1_i386.deb
96e19e7158e6407b1da92dec4e478c3f 1245950 kde optional
kpresenter_1.6.3-3+lenny1_i386.deb
07f2cd4c73e3b7d28abd5edfd3fcc920 3133588 kde optional
krita_1.6.3-3+lenny1_i386.deb
17e0e2ad738d47ff57169f05abc7ac27 2590850 kde optional
kspread_1.6.3-3+lenny1_i386.deb
c85d138c9bc773ae1d9e353ae91a4bbd 446748 kde optional
kugar_1.6.3-3+lenny1_i386.deb
e020cfffcf867815d81e05bf6e1f1612 2681010 kde optional
kword_1.6.3-3+lenny1_i386.deb
3a1437714eae9e0d16712919caffe2af 320432 kde optional
kthesaurus_1.6.3-3+lenny1_i386.deb
2f2150703f08336f69ed2a6fac3d5373 2542152 libs optional
koffice-libs_1.6.3-3+lenny1_i386.deb
b24b2c4606dae3d0c249eadf5f8c2741 433074 libdevel optional
koffice-dev_1.6.3-3+lenny1_i386.deb
34cdab29817456d95710c6937f2a338c 55478952 libdevel extra
koffice-dbg_1.6.3-3+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHPYwDHYflSXNkfP8RAuiwAKCKPOn5gn7aWLzIULyQAY5Y3/C+0gCfVmwM
SS85FfZpv1a8DhfR/v/Q05E=
=jr3R
-----END PGP SIGNATURE-----
--- End Message ---
