Re: CVE request for Calligra

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/06/2012 06:45 AM, Jeff Mitchell wrote:
> On 08/05/2012 07:27 PM, Charlie Miller wrote:
> > Hi Kurt.
> >
> > Yes, sorry I didn't report directly to the correct people.  I
> > only knew that the vulnerability existed for sure in the Nokia
> > Documents app and also in the version of Koffice I happen to have
> > on my system. I didn't know what library it was in (I'd never
> > even heard of Calligra), if it was already known about upstream,
> > what other software depend on this library, etc.  As you're
> > probably aware, it can be a very time consuming process to try to
> > get that stuff sorted out, so I just report it to the vendor and
> > let them deal with these issues.  In that spirit, I reported to
> > Nokia early last month.  As for your questions, I have not asked
> > for CVE's for any of these vulnerabilities.  Feel free to request
> > them yourselves.  I believe the only vulnerability I know enough
> > details about to say is a security issue is the one in the
> > document about parsing word documents.  I hope that clears up any
> > questions you might have. Thanks!
>
> Hi there,
>
> As you may have heard, Nokia has a few issues these days with
> MeeGo, so it's not surprising that they haven't contacted upstreams
> if you reported it to them  :-)
>
> Calligra is a (maintained) fork of KOffice. At this point it's not
> clear to me, based on commit activity, if KOffice is maintained.
>
> Regardless, I guess I'd like a CVE for both (or two CVEs, depending
> on your preferences).
>
> --Jeff

It looks like koffice is mostly dead so I'm going to consider calligra a
forked code base (since it is maintained =), so 2 CVE's.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQIBSRAAoJEBYNRVNeJnmTY8gP/1mRUswwM6tmos1dn4irNoCV
TpVPrKeykKtlvAhbs7gkESthOKLCNvJ9Yw15DFfC/WIF+HFXCk+9rIuRNqZzOvk4
SQ1NVW7a3DgFYODDxh3dtQC+l5Pc/uTpbMF5lInvirSamxyoGf4390rAzy8NMdEl
V6proz15AT+RnjtaUD5wEAx7kIUoBoxfhxO+afoJE7b5lNP11QUu4nNBR4u5vnDu
JkzER9I2qJscynoNjZ2ka/93wfp7+Pp0Ys3rlX3zGS6dtEs5tIh69Z2jqRBU5IrK
0gWt8FqGjxJT3kYIX7c+CYjAxzw2b8bDCUjyY5Wph/KR37TjKZmzXHoLCauTqTsP
Lf2wPHmEFnPJtBQASVm6/Un2gSOWEwnXBx6oAOU9rtOH/AtsE8OCJS6EZVmBSp/p
RZ9kv+I6nQtoe0QtL91xDOicWC12bjgYc89qaBHK6OOWJT69j5qXlCM1batPdloE
MPd6QRZiDBTrFQ/sq6rPgdzvqJRwfVdr46yvy+xDb6BWY/bGaFVD01oRQ6+1N+mk
Ucp3RBBdFEpEOBprR1clUfDeK5GiDIm8DTJxnGML3yzlo/GDHEoNFdWUXOOKCPEv
WZDBk60ktrV/e45E3yrvQenOPnG42UQMnuaBBtCpElTRX+7dFuIjrzWhTgnTiMUs
p64rpfycd+1aj+y57pK9
=jKit
-----END PGP SIGNATURE-----