Bug#280373: kfax libtiff vulnerabilities
On Monday 08 November 2004 10:13 pm, Chris Cheney wrote: > On Mon, Nov 08, 2004 at 09:35:30PM -0500, Josh Metzler wrote: > > On Monday 08 November 2004 07:46 pm, Chris Cheney wrote: > > > On Tue, Nov 09, 2004 at 12:37:55AM +0100, Andreas Mueller wrote: > > > > Package: kfax > > > > Version: 4:3.3.1-1 > > > > Severity: normal > > > > > > > > > > > > -- cut from the inoffical KDE Security Advisory -- > > > > > > > > kfax, a small utility for displaying fax files, contains > > > > for historic reasons a private copy of libtiff. > > > > Therefore it is vulnerable to these issues as well. > > > > > > > > As a workaround, you can remove the kfax binary and the > > > > kfax_multipage KPart from your system to be on the safe > > > > side. A new package is now on ktown. > > > > > > > > This issue is already sort-of public because Red Hat already > > > > announced it as part of their kdegraphics update. > > > > > > > > Cheers, > > > > amu > > > > > > The kfax in kdegraphics 3.3.1-1 deb is already fixed afaik, they > > > removed libtiff from kdegraphics source and use libtiff-tools instead. > > > > > > Chris > > > > It is not fixed in kdegraphics 3.3.1-1. I just downloaded the source > > (apt-get source kdegraphics), and the kfax.cpp is the version dated July > > 12, 2004 which is in the tagged KDE_3_3_1_RELEASE. The fix was committed > > to both KDE_3_3_BRANCH and KDE_3_2_BRANCH on October 16, 2004. The 3.2 > > branch was refixed on October 23. > > Did you happen to look at the source after > debian/patches/01_kdegraphics_branch.diff.uu is applied? The orig.tar.gz > is not patched directly of course... > > Chris Sorry, but I did not. I didn't realize the patching happened during the build process and not when the sources were extracted. Josh
Bug#280373: kfax libtiff vulnerabilities
> Did you happen to look at the source after > debian/patches/01_kdegraphics_branch.diff.uu is applied? The orig.tar.gz > is not patched directly of course... An understandable mistake. With many (most, I suspect) packages, the debian diffs are applied upon dpkg-source -x. For the KDE modules they're not applied until you actually begin the build. b.
Bug#280373: kfax libtiff vulnerabilities
* Chris Cheney [Mon, 08 Nov 2004 21:13:02 -0600]: > > It is not fixed in kdegraphics 3.3.1-1. I just downloaded the source > > (apt-get source kdegraphics), and the kfax.cpp is the version dated July > > 12, 2004 which is in the tagged KDE_3_3_1_RELEASE. The fix was committed > > to both KDE_3_3_BRANCH and KDE_3_2_BRANCH on October 16, 2004. The 3.2 > > branch was refixed on October 23. > Did you happen to look at the source after > debian/patches/01_kdegraphics_branch.diff.uu is applied? The orig.tar.gz > is not patched directly of course... then the 'sid' tag should be removed, /me guesses. -- Adeodato Simó EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621 Listening to: Alaska y Dinarama - La Pastilla Roja Any life, no matter how long and complex it may be, is made up of a single moment: the moment in which a man finds out, once and for all, who he is. -- Jorge Luis Borges
Bug#280373: kfax libtiff vulnerabilities
On Mon, Nov 08, 2004 at 09:35:30PM -0500, Josh Metzler wrote: > On Monday 08 November 2004 07:46 pm, Chris Cheney wrote: > > On Tue, Nov 09, 2004 at 12:37:55AM +0100, Andreas Mueller wrote: > > > Package: kfax > > > Version: 4:3.3.1-1 > > > Severity: normal > > > > > > > > > -- cut from the inoffical KDE Security Advisory -- > > > > > > kfax, a small utility for displaying fax files, contains > > > for historic reasons a private copy of libtiff. > > > Therefore it is vulnerable to these issues as well. > > > > > > As a workaround, you can remove the kfax binary and the > > > kfax_multipage KPart from your system to be on the safe > > > side. A new package is now on ktown. > > > > > > This issue is already sort-of public because Red Hat already announced > > > it as part of their kdegraphics update. > > > > > > Cheers, > > > amu > > > > The kfax in kdegraphics 3.3.1-1 deb is already fixed afaik, they removed > > libtiff from kdegraphics source and use libtiff-tools instead. > > > > Chris > > It is not fixed in kdegraphics 3.3.1-1. I just downloaded the source > (apt-get source kdegraphics), and the kfax.cpp is the version dated July > 12, 2004 which is in the tagged KDE_3_3_1_RELEASE. The fix was committed > to both KDE_3_3_BRANCH and KDE_3_2_BRANCH on October 16, 2004. The 3.2 > branch was refixed on October 23. Did you happen to look at the source after debian/patches/01_kdegraphics_branch.diff.uu is applied? The orig.tar.gz is not patched directly of course... Chris
Bug#280373: kfax libtiff vulnerabilities
On Monday 08 November 2004 07:46 pm, Chris Cheney wrote: > On Tue, Nov 09, 2004 at 12:37:55AM +0100, Andreas Mueller wrote: > > Package: kfax > > Version: 4:3.3.1-1 > > Severity: normal > > > > > > -- cut from the inoffical KDE Security Advisory -- > > > > kfax, a small utility for displaying fax files, contains > > for historic reasons a private copy of libtiff. > > Therefore it is vulnerable to these issues as well. > > > > As a workaround, you can remove the kfax binary and the > > kfax_multipage KPart from your system to be on the safe > > side. A new package is now on ktown. > > > > This issue is already sort-of public because Red Hat already announced > > it as part of their kdegraphics update. > > > > Cheers, > > amu > > The kfax in kdegraphics 3.3.1-1 deb is already fixed afaik, they removed > libtiff from kdegraphics source and use libtiff-tools instead. > > Chris It is not fixed in kdegraphics 3.3.1-1. I just downloaded the source (apt-get source kdegraphics), and the kfax.cpp is the version dated July 12, 2004 which is in the tagged KDE_3_3_1_RELEASE. The fix was committed to both KDE_3_3_BRANCH and KDE_3_2_BRANCH on October 16, 2004. The 3.2 branch was refixed on October 23. Josh
Bug#280373: kfax libtiff vulnerabilities
On Tue, Nov 09, 2004 at 12:37:55AM +0100, Andreas Mueller wrote: > Package: kfax > Version: 4:3.3.1-1 > Severity: normal > > > -- cut from the inoffical KDE Security Advisory -- > > kfax, a small utility for displaying fax files, contains > for historic reasons a private copy of libtiff. > Therefore it is vulnerable to these issues as well. > > As a workaround, you can remove the kfax binary and the > kfax_multipage KPart from your system to be on the safe > side. A new package is now on ktown. > > This issue is already sort-of public because Red Hat already announced > it as part of their kdegraphics update. > > Cheers, > amu The kfax in kdegraphics 3.3.1-1 deb is already fixed afaik, they removed libtiff from kdegraphics source and use libtiff-tools instead. Chris signature.asc Description: Digital signature
Bug#280373: kfax libtiff vulnerabilities
Package: kfax Version: 4:3.3.1-1 Severity: normal -- cut from the inoffical KDE Security Advisory -- kfax, a small utility for displaying fax files, contains for historic reasons a private copy of libtiff. Therefore it is vulnerable to these issues as well. As a workaround, you can remove the kfax binary and the kfax_multipage KPart from your system to be on the safe side. A new package is now on ktown. This issue is already sort-of public because Red Hat already announced it as part of their kdegraphics update. Cheers, amu