Re: CVE request for Calligra

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/05/2012 09:06 AM, Jorge Manuel B. S. Vicetto wrote:
> Hi.
>
> On Sat, Aug 4, 2012 at 4:58 PM, Jeff Mitchell <mitchell () kde org>
> wrote:
> > On 08/04/2012 11:56 AM, Agostino Sarubbo wrote:
> > > On Saturday 04 August 2012 11:44:33 Jeff Mitchell wrote:
> > > > What commit code do you want?
> > > Please post the diff between the vulnerable code and the fix so
> > > we are sure that is a security issue.
> >
> > Hi,
> >
> > You can read all about the details of the vulnerability in the
> > Black Hat 2012 presentation by Charlie Miller 
> > (http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf)
- -- details of the Calligra (and KOffice) exploit start at page 39.
> > Unfortunately, he did not notify us ahead of time of his intent
> > to disclose, so it's already public.

I suspect he may not have known about it (this is the first time I can
remember hearing of Calligra). Trying to keep track of all possible
project forks is pretty much impossible in the modern Open Source world.

Charlie 1): have you requested CVE #'s for this issue for Koffice?

Charlie 2): it appears there are quite a few other security issues in
the presentation, are they in open source components, if yes can you
please send a CVE request(s) for the issue to oss-security@ so I can
assign CVE's for them? Thanks.

Once Charlie replies (either way) I'll assign CVE's.

> > Thanks, Jeff
>
>
> As reported by Thorsten Zachmann to the kde-packagers ml, here are
> the commit ids:
>
>
> The commit IDs for master is 
> 8652ab672eaaa145dfb3782f5011de58aa4cc046 
> https://projects.kde.org/projects/calligra/repository/diff?rev=8652ab672eaaa145dfb3782f5011de58aa4cc046&rev_to=6e0323801dd144ad36720949fbef01d992a8e801
>
>  The commit ID for calligra/2.5 is 
> f04d585ca1d3ee27f125d0129a23ca7b7850902d 
> https://projects.kde.org/projects/calligra/repository/diff?rev=f04d585ca1d3ee27f125d0129a23ca7b7850902d&rev_to=b1bf5264e31cdab9e0b2fa74b7ae8393d6195af1
>
>  The commit ID for calligra/2.4 is 
> 7d72f7dd8d28d18c59a08a7d43bd4e0654043103 
> https://projects.kde.org/projects/calligra/repository/diff?rev=7d72f7dd8d28d18c59a08a7d43bd4e0654043103&rev_to=7a9fa21b1f812b74b3e1501480dd14d10aeb347b
>
>  Regards,
>
> Jorge Manuel B. S. Vicetto


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQHta0AAoJEBYNRVNeJnmTzEQP/3P5la9AFY40vMsBT+h3JTwm
Qw4lpSljSgc6CNADCmXHOMXdyyqvawUmWGVixRzn3Rmac40kw1hdplyG4mfkFz7X
LCL1rreZd/S59WdPD6ev3pwPBDQVjR+2i/8dk134OqUe+pUsQNAx9a7f02wC+Ecy
N6jqU6AmhwT1yKLKJHwl797sVciVduSOOdpQ88/kocdtCU6a8ydRqpJrV4P3G9MU
J+qpz90eCvCjsV7gJRp8aaXq7o/+buYcKXLu7O0ypNavMEDcjsPkfFoaL8Am89HE
V4sxjur/zyg5kcJgrRQihPxApeUOmMJ59sVcSqhtv/FD8/+OPx9p99sU/N4LQDzO
DXSZKa1QXithfZL/r+LQ1Xe8VPh/iXSp8YPXlsH3ZNeoNNFevygO8NfhSohY/vzx
l4+jWWbD9ps3i4dl1jpvfsms4zB5ILjPzTUm66VtguaM9lVBV5PAdCwchLSpatDq
0yOWODqHDbwfFEEYNZHBXAjzZn2Li3qh4O5fV0HY4KZnBfpyNA7T3LKQ5kROW4cV
TUmUbJnauJMxKEwisMLIwj/v+FELovZHKrWWYEFgXYuIunvSyGK+VdQ3w2pqs3Ct
M0mbZJtntRtRZH/HDxRmijtAlAc5j+xU3WpeZJs1uywEFpLJLvGfYZ0rEdZDeamg
96sUYX0rQleI2CfCoY1R
=W8an
-----END PGP SIGNATURE-----