Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 06 Aug 2012 13:01:37 -0600
From: Kurt Seifried <>
CC: Jeff Mitchell <>,
        Charlie Miller <>,
        "Jorge Manuel B. S. Vicetto" <>
Subject: Re: CVE request for Calligra

Hash: SHA1

On 08/06/2012 06:45 AM, Jeff Mitchell wrote:
> On 08/05/2012 07:27 PM, Charlie Miller wrote:
>> Hi Kurt.
>> Yes, sorry I didn't report directly to the correct people.  I
>> only knew that the vulnerability existed for sure in the Nokia
>> Documents app and also in the version of Koffice I happen to have
>> on my system. I didn't know what library it was in (I'd never
>> even heard of Calligra), if it was already known about upstream,
>> what other software depend on this library, etc.  As you're
>> probably aware, it can be a very time consuming process to try to
>> get that stuff sorted out, so I just report it to the vendor and
>> let them deal with these issues.  In that spirit, I reported to
>> Nokia early last month.  As for your questions, I have not asked
>> for CVE's for any of these vulnerabilities.  Feel free to request
>> them yourselves.  I believe the only vulnerability I know enough
>> details about to say is a security issue is the one in the
>> document about parsing word documents.  I hope that clears up any
>> questions you might have. Thanks!
> Hi there,
> As you may have heard, Nokia has a few issues these days with
> MeeGo, so it's not surprising that they haven't contacted upstreams
> if you reported it to them  :-)
> Calligra is a (maintained) fork of KOffice. At this point it's not
> clear to me, based on commit activity, if KOffice is maintained.
> Regardless, I guess I'd like a CVE for both (or two CVEs, depending
> on your preferences).
> --Jeff

It looks like koffice is mostly dead so I'm going to consider calligra a
forked code base (since it is maintained =), so 2 CVE's.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.