Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 06 Aug 2012 13:07:06 -0600
From: Kurt Seifried <>
CC: Charlie Miller <>,
        "Jorge Manuel B. S. Vicetto" <>
Subject: Re: CVE request for Calligra

Hash: SHA1

On 08/05/2012 05:27 PM, Charlie Miller wrote:
> Hi Kurt.
> Yes, sorry I didn't report directly to the correct people.  I only
> knew that the vulnerability existed for sure in the Nokia Documents
> app and also in the version of Koffice I happen to have on my
> system.  I didn't know what library it was in (I'd never even heard
> of Calligra), if it was already known about upstream, what other
> software depend on this library, etc.  As you're probably aware, it
> can be a very time consuming process to try to get that stuff
> sorted out, so I just report it to the vendor and let them deal
> with these issues.  In that spirit, I reported to Nokia early last
> month.  As for your questions, I have not asked for CVE's for any
> of these vulnerabilities.  Feel free to request them yourselves.  I
> believe the only vulnerability I know enough details about to say
> is a security issue is the one in the document about parsing word
> documents.  I hope that clears up any questions you might have.
> Thanks!
> Charlie
> On Aug 5, 2012, at 3:25 PM, Kurt Seifried wrote:
> On 08/05/2012 09:06 AM, Jorge Manuel B. S. Vicetto wrote:
>>>> Hi.
>>>> On Sat, Aug 4, 2012 at 4:58 PM, Jeff Mitchell
>>>> <> wrote:
>>>>> On 08/04/2012 11:56 AM, Agostino Sarubbo wrote:
>>>>>> On Saturday 04 August 2012 11:44:33 Jeff Mitchell wrote:
>>>>>>> What commit code do you want?
>>>>>> Please post the diff between the vulnerable code and the
>>>>>> fix so we are sure that is a security issue.
>>>>> Hi,
>>>>> You can read all about the details of the vulnerability in
>>>>> the Black Hat 2012 presentation by Charlie Miller (c)
> -- details of the Calligra (and KOffice) exploit start at page 39.
>>>>> Unfortunately, he did not notify us ahead of time of his
>>>>> intent to disclose, so it's already public.
> I suspect he may not have known about it (this is the first time I
> can remember hearing of Calligra). Trying to keep track of all
> possible project forks is pretty much impossible in the modern Open
> Source world.
> Charlie 1): have you requested CVE #'s for this issue for Koffice?
> Charlie 2): it appears there are quite a few other security issues
> in the presentation, are they in open source components, if yes can
> you please send a CVE request(s) for the issue to oss-security@ so
> I can assign CVE's for them? Thanks.
> Once Charlie replies (either way) I'll assign CVE's.
>>>>> Thanks, Jeff
>>>> As reported by Thorsten Zachmann to the kde-packagers ml,
>>>> here are the commit ids:
>>>> The commit IDs for master is 
>>>> 8652ab672eaaa145dfb3782f5011de58aa4cc046 c
>>>> The commit ID for calligra/2.5 is 
>>>> f04d585ca1d3ee27f125d0129a23ca7b7850902d 
The commit ID for calligra/2.4 is
>>>> 7d72f7dd8d28d18c59a08a7d43bd4e0654043103 
>>>> Jorge Manuel B. S. Vicetto

For this DOC rendering issue please use CVE-2012-3455 for KOffice and
please use 2012-3456 for Calligra.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ