Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 06 Aug 2012 13:07:06 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Charlie Miller <charlie.miller@...uvant.com>,
        "Jorge Manuel B. S. Vicetto" <jmbsvicetto@...il.com>
Subject: Re: CVE request for Calligra

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/05/2012 05:27 PM, Charlie Miller wrote:
> Hi Kurt.
> 
> Yes, sorry I didn't report directly to the correct people.  I only
> knew that the vulnerability existed for sure in the Nokia Documents
> app and also in the version of Koffice I happen to have on my
> system.  I didn't know what library it was in (I'd never even heard
> of Calligra), if it was already known about upstream, what other
> software depend on this library, etc.  As you're probably aware, it
> can be a very time consuming process to try to get that stuff
> sorted out, so I just report it to the vendor and let them deal
> with these issues.  In that spirit, I reported to Nokia early last
> month.  As for your questions, I have not asked for CVE's for any
> of these vulnerabilities.  Feel free to request them yourselves.  I
> believe the only vulnerability I know enough details about to say
> is a security issue is the one in the document about parsing word
> documents.  I hope that clears up any questions you might have.
> Thanks!
> 
> Charlie
> 
> On Aug 5, 2012, at 3:25 PM, Kurt Seifried wrote:
> 
> On 08/05/2012 09:06 AM, Jorge Manuel B. S. Vicetto wrote:
>>>> Hi.
>>>> 
>>>> On Sat, Aug 4, 2012 at 4:58 PM, Jeff Mitchell
>>>> <mitchell@....org> wrote:
>>>>> On 08/04/2012 11:56 AM, Agostino Sarubbo wrote:
>>>>>> On Saturday 04 August 2012 11:44:33 Jeff Mitchell wrote:
>>>>>>> What commit code do you want?
>>>>>> Please post the diff between the vulnerable code and the
>>>>>> fix so we are sure that is a security issue.
>>>>>> 
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> You can read all about the details of the vulnerability in
>>>>> the Black Hat 2012 presentation by Charlie Miller (c)
>>>>> 
>>>>> 
> -- details of the Calligra (and KOffice) exploit start at page 39.
>>>>> 
>>>>> Unfortunately, he did not notify us ahead of time of his
>>>>> intent to disclose, so it's already public.
> 
> I suspect he may not have known about it (this is the first time I
> can remember hearing of Calligra). Trying to keep track of all
> possible project forks is pretty much impossible in the modern Open
> Source world.
> 
> Charlie 1): have you requested CVE #'s for this issue for Koffice?
> 
> Charlie 2): it appears there are quite a few other security issues
> in the presentation, are they in open source components, if yes can
> you please send a CVE request(s) for the issue to oss-security@ so
> I can assign CVE's for them? Thanks.
> 
> Once Charlie replies (either way) I'll assign CVE's.
> 
>>>>> 
>>>>> Thanks, Jeff
>>>> 
>>>> 
>>>> As reported by Thorsten Zachmann to the kde-packagers ml,
>>>> here are the commit ids:
>>>> 
>>>> 
>>>> The commit IDs for master is 
>>>> 8652ab672eaaa145dfb3782f5011de58aa4cc046 c
>>>> 
>>>> The commit ID for calligra/2.5 is 
>>>> f04d585ca1d3ee27f125d0129a23ca7b7850902d 
>>>> https://projects.kde.org/projects/calligra/repository/diff?rev=f04d585ca1d3ee27f125d0129a23ca7b7850902d&rev_to=b1bf5264e31cdab9e0b2fa74b7ae8393d6195af1
>>>>
>>>>
>>>> 
The commit ID for calligra/2.4 is
>>>> 7d72f7dd8d28d18c59a08a7d43bd4e0654043103 
>>>> https://projects.kde.org/projects/calligra/repository/diff?rev=7d72f7dd8d28d18c59a08a7d43bd4e0654043103&rev_to=7a9fa21b1f812b74b3e1501480dd14d10aeb347b
>>>>
>>>>
>>>> 
Regards,
>>>> 
>>>> Jorge Manuel B. S. Vicetto
>>>> 

For this DOC rendering issue please use CVE-2012-3455 for KOffice and
please use 2012-3456 for Calligra.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQIBXaAAoJEBYNRVNeJnmTV/wQAI2BRqWGJwDMKoh2jUduowkU
xp+5Rf3dPJhI0o9FVaTkk7kWkmLnheecervdNwmthoL6l0D/yvl26gxcBaCr5CBq
JwQNsIeA4sNBJ4gDSCB7CQ1EpRJnCAar/M6wPAg9lUfwNqH+NKD4TJxvpELoOYiu
17Hgj36KnGn/hEmaq7ugIBpf0nY+PDjGwMI+SeCiLBMJU92y49MA6kjbZ5wZZcnA
91pedfhW1Ia1P/4HhTV/WfcepfyqYAld+QMPiq66JHPLxbXY4sZu3F8Ff9RfwBK7
an+auUf3ITng2CscSjjlRtabQdPismt1JS9eI/X6A+kjB3oE6tFOW5rM0DWitH+B
E7MvwJW9rV3VTleQlQgzQEJJrJWRdDpJrwmCAgYDD5OEdjmoXSJQD9/2oWJmcED0
pQC6jt3hOZAXsu2XO6Ib0QBKCSfgJ7gFT3u5YJbydAWLxN8B+P6H4fUupbVhcDCS
eN/WZRSdKzXICglriLM+CdG8r0tmQbC+76KwKtvtEYrQRJv/S8Hpc3RaRxWVcEpW
6JW0Hacol4xoZDPyl25VQlNqcaekXKUdFHYZJic0cv5OEeRnmYA6jcZEgDmvZWFo
HReRIsstQjWGsjli90U7EQQHt7ZwyaccXpOnIfPXw1I/31PBJViMBuL4Zuxuue4H
RQvuo6IFqkXGFCBNneK5
=S3Bf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ