oss-sec mailing list archives
Re: CVE request for Calligra
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 06 Aug 2012 13:01:37 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/06/2012 06:45 AM, Jeff Mitchell wrote:
On 08/05/2012 07:27 PM, Charlie Miller wrote:Hi Kurt. Yes, sorry I didn't report directly to the correct people. I only knew that the vulnerability existed for sure in the Nokia Documents app and also in the version of Koffice I happen to have on my system. I didn't know what library it was in (I'd never even heard of Calligra), if it was already known about upstream, what other software depend on this library, etc. As you're probably aware, it can be a very time consuming process to try to get that stuff sorted out, so I just report it to the vendor and let them deal with these issues. In that spirit, I reported to Nokia early last month. As for your questions, I have not asked for CVE's for any of these vulnerabilities. Feel free to request them yourselves. I believe the only vulnerability I know enough details about to say is a security issue is the one in the document about parsing word documents. I hope that clears up any questions you might have. Thanks!Hi there, As you may have heard, Nokia has a few issues these days with MeeGo, so it's not surprising that they haven't contacted upstreams if you reported it to them :-) Calligra is a (maintained) fork of KOffice. At this point it's not clear to me, based on commit activity, if KOffice is maintained. Regardless, I guess I'd like a CVE for both (or two CVEs, depending on your preferences). --Jeff
It looks like koffice is mostly dead so I'm going to consider calligra a forked code base (since it is maintained =), so 2 CVE's. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQIBSRAAoJEBYNRVNeJnmTY8gP/1mRUswwM6tmos1dn4irNoCV TpVPrKeykKtlvAhbs7gkESthOKLCNvJ9Yw15DFfC/WIF+HFXCk+9rIuRNqZzOvk4 SQ1NVW7a3DgFYODDxh3dtQC+l5Pc/uTpbMF5lInvirSamxyoGf4390rAzy8NMdEl V6proz15AT+RnjtaUD5wEAx7kIUoBoxfhxO+afoJE7b5lNP11QUu4nNBR4u5vnDu JkzER9I2qJscynoNjZ2ka/93wfp7+Pp0Ys3rlX3zGS6dtEs5tIh69Z2jqRBU5IrK 0gWt8FqGjxJT3kYIX7c+CYjAxzw2b8bDCUjyY5Wph/KR37TjKZmzXHoLCauTqTsP Lf2wPHmEFnPJtBQASVm6/Un2gSOWEwnXBx6oAOU9rtOH/AtsE8OCJS6EZVmBSp/p RZ9kv+I6nQtoe0QtL91xDOicWC12bjgYc89qaBHK6OOWJT69j5qXlCM1batPdloE MPd6QRZiDBTrFQ/sq6rPgdzvqJRwfVdr46yvy+xDb6BWY/bGaFVD01oRQ6+1N+mk Ucp3RBBdFEpEOBprR1clUfDeK5GiDIm8DTJxnGML3yzlo/GDHEoNFdWUXOOKCPEv WZDBk60ktrV/e45E3yrvQenOPnG42UQMnuaBBtCpElTRX+7dFuIjrzWhTgnTiMUs p64rpfycd+1aj+y57pK9 =jKit -----END PGP SIGNATURE-----
Current thread:
- CVE request for Calligra Jeff Mitchell (Aug 04)
- Re: CVE request for Calligra Agostino Sarubbo (Aug 04)
- Re: CVE request for Calligra Jeff Mitchell (Aug 04)
- Re: CVE request for Calligra Agostino Sarubbo (Aug 04)
- Re: CVE request for Calligra Jeff Mitchell (Aug 04)
- Re: CVE request for Calligra Jorge Manuel B. S. Vicetto (Aug 05)
- Re: CVE request for Calligra Kurt Seifried (Aug 05)
- Re: CVE request for Calligra Charlie Miller (Aug 05)
- Re: CVE request for Calligra Jeff Mitchell (Aug 06)
- Re: CVE request for Calligra Kurt Seifried (Aug 06)
- Re: CVE request for Calligra Kurt Seifried (Aug 06)
- Re: CVE request for Calligra Jeff Mitchell (Aug 07)
- Re: CVE request for Calligra Jeff Mitchell (Aug 10)
- Re: CVE request for Calligra Jeff Mitchell (Aug 04)
- Re: CVE request for Calligra Agostino Sarubbo (Aug 04)