Re: CVE request for Calligra

[Jeff Mitchell <mitchell () kde org>]

On 08/05/2012 07:27 PM, Charlie Miller wrote:
> Hi Kurt.
>
> Yes, sorry I didn't report directly to the correct people.  I only
> knew that the vulnerability existed for sure in the Nokia Documents
> app and also in the version of Koffice I happen to have on my system.
> I didn't know what library it was in (I'd never even heard of
> Calligra), if it was already known about upstream, what other
> software depend on this library, etc.  As you're probably aware, it
> can be a very time consuming process to try to get that stuff sorted
> out, so I just report it to the vendor and let them deal with these
> issues.  In that spirit, I reported to Nokia early last month.  As
> for your questions, I have not asked for CVE's for any of these
> vulnerabilities.  Feel free to request them yourselves.  I believe
> the only vulnerability I know enough details about to say is a
> security issue is the one in the document about parsing word
> documents.  I hope that clears up any questions you might have.
> Thanks!

Hi there,

As you may have heard, Nokia has a few issues these days with MeeGo, so
it's not surprising that they haven't contacted upstreams if you
reported it to them  :-)

Calligra is a (maintained) fork of KOffice. At this point it's not clear
to me, based on commit activity, if KOffice is maintained.

Regardless, I guess I'd like a CVE for both (or two CVEs, depending on
your preferences).

--Jeff

Attachment: signature.asc
Description: OpenPGP digital signature