Re: CVE request for Calligra

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/05/2012 05:27 PM, Charlie Miller wrote:
> Hi Kurt.
>
> Yes, sorry I didn't report directly to the correct people.  I only
> knew that the vulnerability existed for sure in the Nokia Documents
> app and also in the version of Koffice I happen to have on my
> system.  I didn't know what library it was in (I'd never even heard
> of Calligra), if it was already known about upstream, what other
> software depend on this library, etc.  As you're probably aware, it
> can be a very time consuming process to try to get that stuff
> sorted out, so I just report it to the vendor and let them deal
> with these issues.  In that spirit, I reported to Nokia early last
> month.  As for your questions, I have not asked for CVE's for any
> of these vulnerabilities.  Feel free to request them yourselves.  I
> believe the only vulnerability I know enough details about to say
> is a security issue is the one in the document about parsing word
> documents.  I hope that clears up any questions you might have.
> Thanks!
>
> Charlie
>
> On Aug 5, 2012, at 3:25 PM, Kurt Seifried wrote:
>
> On 08/05/2012 09:06 AM, Jorge Manuel B. S. Vicetto wrote:
> > > > Hi.
> > > >
> > > > On Sat, Aug 4, 2012 at 4:58 PM, Jeff Mitchell
> > > > <mitchell () kde org> wrote:
> > > > > On 08/04/2012 11:56 AM, Agostino Sarubbo wrote:
> > > > > > On Saturday 04 August 2012 11:44:33 Jeff Mitchell wrote:
> > > > > > > What commit code do you want?
> > > > > > Please post the diff between the vulnerable code and the
> > > > > > fix so we are sure that is a security issue.
> > > > >
> > > > > Hi,
> > > > >
> > > > > You can read all about the details of the vulnerability in
> > > > > the Black Hat 2012 presentation by Charlie Miller (c)
> -- details of the Calligra (and KOffice) exploit start at page 39.
> > > > > Unfortunately, he did not notify us ahead of time of his
> > > > > intent to disclose, so it's already public.
>
> I suspect he may not have known about it (this is the first time I
> can remember hearing of Calligra). Trying to keep track of all
> possible project forks is pretty much impossible in the modern Open
> Source world.
>
> Charlie 1): have you requested CVE #'s for this issue for Koffice?
>
> Charlie 2): it appears there are quite a few other security issues
> in the presentation, are they in open source components, if yes can
> you please send a CVE request(s) for the issue to oss-security@ so
> I can assign CVE's for them? Thanks.
>
> Once Charlie replies (either way) I'll assign CVE's.
>
> > > > > Thanks, Jeff
> > > >
> > > >
> > > > As reported by Thorsten Zachmann to the kde-packagers ml,
> > > > here are the commit ids:
> > > >
> > > >
> > > > The commit IDs for master is 
> > > > 8652ab672eaaa145dfb3782f5011de58aa4cc046 c
> > > >
> > > > The commit ID for calligra/2.5 is 
> > > > f04d585ca1d3ee27f125d0129a23ca7b7850902d 
> > > > https://projects.kde.org/projects/calligra/repository/diff?rev=f04d585ca1d3ee27f125d0129a23ca7b7850902d&rev_to=b1bf5264e31cdab9e0b2fa74b7ae8393d6195af1
The commit ID for calligra/2.4 is
> > > > 7d72f7dd8d28d18c59a08a7d43bd4e0654043103 
> > > > https://projects.kde.org/projects/calligra/repository/diff?rev=7d72f7dd8d28d18c59a08a7d43bd4e0654043103&rev_to=7a9fa21b1f812b74b3e1501480dd14d10aeb347b
Regards,
> > > > Jorge Manuel B. S. Vicetto

For this DOC rendering issue please use CVE-2012-3455 for KOffice and
please use 2012-3456 for Calligra.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQIBXaAAoJEBYNRVNeJnmTV/wQAI2BRqWGJwDMKoh2jUduowkU
xp+5Rf3dPJhI0o9FVaTkk7kWkmLnheecervdNwmthoL6l0D/yvl26gxcBaCr5CBq
JwQNsIeA4sNBJ4gDSCB7CQ1EpRJnCAar/M6wPAg9lUfwNqH+NKD4TJxvpELoOYiu
17Hgj36KnGn/hEmaq7ugIBpf0nY+PDjGwMI+SeCiLBMJU92y49MA6kjbZ5wZZcnA
91pedfhW1Ia1P/4HhTV/WfcepfyqYAld+QMPiq66JHPLxbXY4sZu3F8Ff9RfwBK7
an+auUf3ITng2CscSjjlRtabQdPismt1JS9eI/X6A+kjB3oE6tFOW5rM0DWitH+B
E7MvwJW9rV3VTleQlQgzQEJJrJWRdDpJrwmCAgYDD5OEdjmoXSJQD9/2oWJmcED0
pQC6jt3hOZAXsu2XO6Ib0QBKCSfgJ7gFT3u5YJbydAWLxN8B+P6H4fUupbVhcDCS
eN/WZRSdKzXICglriLM+CdG8r0tmQbC+76KwKtvtEYrQRJv/S8Hpc3RaRxWVcEpW
6JW0Hacol4xoZDPyl25VQlNqcaekXKUdFHYZJic0cv5OEeRnmYA6jcZEgDmvZWFo
HReRIsstQjWGsjli90U7EQQHt7ZwyaccXpOnIfPXw1I/31PBJViMBuL4Zuxuue4H
RQvuo6IFqkXGFCBNneK5
=S3Bf
-----END PGP SIGNATURE-----