oss-sec mailing list archives
Re: CVE request for Calligra
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 05 Aug 2012 14:25:24 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/05/2012 09:06 AM, Jorge Manuel B. S. Vicetto wrote:
Hi. On Sat, Aug 4, 2012 at 4:58 PM, Jeff Mitchell <mitchell () kde org> wrote:On 08/04/2012 11:56 AM, Agostino Sarubbo wrote:On Saturday 04 August 2012 11:44:33 Jeff Mitchell wrote:What commit code do you want?Please post the diff between the vulnerable code and the fix so we are sure that is a security issue.Hi, You can read all about the details of the vulnerability in the Black Hat 2012 presentation by Charlie Miller (http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf)
- -- details of the Calligra (and KOffice) exploit start at page 39.
Unfortunately, he did not notify us ahead of time of his intent to disclose, so it's already public.
I suspect he may not have known about it (this is the first time I can remember hearing of Calligra). Trying to keep track of all possible project forks is pretty much impossible in the modern Open Source world. Charlie 1): have you requested CVE #'s for this issue for Koffice? Charlie 2): it appears there are quite a few other security issues in the presentation, are they in open source components, if yes can you please send a CVE request(s) for the issue to oss-security@ so I can assign CVE's for them? Thanks. Once Charlie replies (either way) I'll assign CVE's.
Thanks, JeffAs reported by Thorsten Zachmann to the kde-packagers ml, here are the commit ids: The commit IDs for master is 8652ab672eaaa145dfb3782f5011de58aa4cc046 https://projects.kde.org/projects/calligra/repository/diff?rev=8652ab672eaaa145dfb3782f5011de58aa4cc046&rev_to=6e0323801dd144ad36720949fbef01d992a8e801 The commit ID for calligra/2.5 is f04d585ca1d3ee27f125d0129a23ca7b7850902d https://projects.kde.org/projects/calligra/repository/diff?rev=f04d585ca1d3ee27f125d0129a23ca7b7850902d&rev_to=b1bf5264e31cdab9e0b2fa74b7ae8393d6195af1 The commit ID for calligra/2.4 is 7d72f7dd8d28d18c59a08a7d43bd4e0654043103 https://projects.kde.org/projects/calligra/repository/diff?rev=7d72f7dd8d28d18c59a08a7d43bd4e0654043103&rev_to=7a9fa21b1f812b74b3e1501480dd14d10aeb347b Regards, Jorge Manuel B. S. Vicetto
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQHta0AAoJEBYNRVNeJnmTzEQP/3P5la9AFY40vMsBT+h3JTwm Qw4lpSljSgc6CNADCmXHOMXdyyqvawUmWGVixRzn3Rmac40kw1hdplyG4mfkFz7X LCL1rreZd/S59WdPD6ev3pwPBDQVjR+2i/8dk134OqUe+pUsQNAx9a7f02wC+Ecy N6jqU6AmhwT1yKLKJHwl797sVciVduSOOdpQ88/kocdtCU6a8ydRqpJrV4P3G9MU J+qpz90eCvCjsV7gJRp8aaXq7o/+buYcKXLu7O0ypNavMEDcjsPkfFoaL8Am89HE V4sxjur/zyg5kcJgrRQihPxApeUOmMJ59sVcSqhtv/FD8/+OPx9p99sU/N4LQDzO DXSZKa1QXithfZL/r+LQ1Xe8VPh/iXSp8YPXlsH3ZNeoNNFevygO8NfhSohY/vzx l4+jWWbD9ps3i4dl1jpvfsms4zB5ILjPzTUm66VtguaM9lVBV5PAdCwchLSpatDq 0yOWODqHDbwfFEEYNZHBXAjzZn2Li3qh4O5fV0HY4KZnBfpyNA7T3LKQ5kROW4cV TUmUbJnauJMxKEwisMLIwj/v+FELovZHKrWWYEFgXYuIunvSyGK+VdQ3w2pqs3Ct M0mbZJtntRtRZH/HDxRmijtAlAc5j+xU3WpeZJs1uywEFpLJLvGfYZ0rEdZDeamg 96sUYX0rQleI2CfCoY1R =W8an -----END PGP SIGNATURE-----
Current thread:
- CVE request for Calligra Jeff Mitchell (Aug 04)
- Re: CVE request for Calligra Agostino Sarubbo (Aug 04)
- Re: CVE request for Calligra Jeff Mitchell (Aug 04)
- Re: CVE request for Calligra Agostino Sarubbo (Aug 04)
- Re: CVE request for Calligra Jeff Mitchell (Aug 04)
- Re: CVE request for Calligra Jorge Manuel B. S. Vicetto (Aug 05)
- Re: CVE request for Calligra Kurt Seifried (Aug 05)
- Re: CVE request for Calligra Charlie Miller (Aug 05)
- Re: CVE request for Calligra Jeff Mitchell (Aug 06)
- Re: CVE request for Calligra Kurt Seifried (Aug 06)
- Re: CVE request for Calligra Kurt Seifried (Aug 06)
- Re: CVE request for Calligra Jeff Mitchell (Aug 07)
- Re: CVE request for Calligra Jeff Mitchell (Aug 10)
- Re: CVE request for Calligra Jeff Mitchell (Aug 04)
- Re: CVE request for Calligra Agostino Sarubbo (Aug 04)