Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <50201491.7020201@redhat.com>
Date: Mon, 06 Aug 2012 13:01:37 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jeff Mitchell <mitchell@....org>,
        Charlie Miller <charlie.miller@...uvant.com>,
        "Jorge Manuel B. S. Vicetto" <jmbsvicetto@...il.com>
Subject: Re: CVE request for Calligra

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/06/2012 06:45 AM, Jeff Mitchell wrote:
> On 08/05/2012 07:27 PM, Charlie Miller wrote:
>> Hi Kurt.
>> 
>> Yes, sorry I didn't report directly to the correct people.  I
>> only knew that the vulnerability existed for sure in the Nokia
>> Documents app and also in the version of Koffice I happen to have
>> on my system. I didn't know what library it was in (I'd never
>> even heard of Calligra), if it was already known about upstream,
>> what other software depend on this library, etc.  As you're
>> probably aware, it can be a very time consuming process to try to
>> get that stuff sorted out, so I just report it to the vendor and
>> let them deal with these issues.  In that spirit, I reported to
>> Nokia early last month.  As for your questions, I have not asked
>> for CVE's for any of these vulnerabilities.  Feel free to request
>> them yourselves.  I believe the only vulnerability I know enough
>> details about to say is a security issue is the one in the
>> document about parsing word documents.  I hope that clears up any
>> questions you might have. Thanks!
> 
> Hi there,
> 
> As you may have heard, Nokia has a few issues these days with
> MeeGo, so it's not surprising that they haven't contacted upstreams
> if you reported it to them  :-)
> 
> Calligra is a (maintained) fork of KOffice. At this point it's not
> clear to me, based on commit activity, if KOffice is maintained.
> 
> Regardless, I guess I'd like a CVE for both (or two CVEs, depending
> on your preferences).
> 
> --Jeff

It looks like koffice is mostly dead so I'm going to consider calligra a
forked code base (since it is maintained =), so 2 CVE's.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQIBSRAAoJEBYNRVNeJnmTY8gP/1mRUswwM6tmos1dn4irNoCV
TpVPrKeykKtlvAhbs7gkESthOKLCNvJ9Yw15DFfC/WIF+HFXCk+9rIuRNqZzOvk4
SQ1NVW7a3DgFYODDxh3dtQC+l5Pc/uTpbMF5lInvirSamxyoGf4390rAzy8NMdEl
V6proz15AT+RnjtaUD5wEAx7kIUoBoxfhxO+afoJE7b5lNP11QUu4nNBR4u5vnDu
JkzER9I2qJscynoNjZ2ka/93wfp7+Pp0Ys3rlX3zGS6dtEs5tIh69Z2jqRBU5IrK
0gWt8FqGjxJT3kYIX7c+CYjAxzw2b8bDCUjyY5Wph/KR37TjKZmzXHoLCauTqTsP
Lf2wPHmEFnPJtBQASVm6/Un2gSOWEwnXBx6oAOU9rtOH/AtsE8OCJS6EZVmBSp/p
RZ9kv+I6nQtoe0QtL91xDOicWC12bjgYc89qaBHK6OOWJT69j5qXlCM1batPdloE
MPd6QRZiDBTrFQ/sq6rPgdzvqJRwfVdr46yvy+xDb6BWY/bGaFVD01oRQ6+1N+mk
Ucp3RBBdFEpEOBprR1clUfDeK5GiDIm8DTJxnGML3yzlo/GDHEoNFdWUXOOKCPEv
WZDBk60ktrV/e45E3yrvQenOPnG42UQMnuaBBtCpElTRX+7dFuIjrzWhTgnTiMUs
p64rpfycd+1aj+y57pK9
=jKit
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.