Bug 152816
Summary: | CAN-2004-0803,0803,0886 kdefax libtiff remote code execution | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Marc Deslauriers <marc.deslauriers> |
Component: | kdegraphics | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED CANTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | deisenst, pekkas, rob.myers |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135466 | ||
Whiteboard: | 1, LEGACY, rh73, rh90, NEEDSWORK | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-04-12 00:06:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 179804 |
Description
David Lawrence
2005-03-30 23:28:28 UTC
Should these packages be built for updates-testing? Or do they need further QA? http://rhn.redhat.com/errata/RHSA-2005-021.html AFAIK, these have been waiting building in mach for about half a year now, but sure if there was a compilation problem or something. Marc, anything we could do to help with this? If I remember correctly, I couldn't get these to build successfully in mach with the same dependencies. I haven't tried them in a while though. Revisiting kdegraphics, as we now have additional issues, which you can see in attachment 124200 [details] from Bug #179804 in column F on lines that say "kdegraphics". But the first issue here, I think, is that I cannot find Rob Myers original packages. They were reviewed here and source was discerned to be okay for RHL7.3, RHL9, and FC1 for letting these packages to be built for updates-testing, but I don't know where the sources are. I can't find them on jane nor anywhere else. But that may be moot anyway. . . . IN THE MEANTIME, it appears that Red Hat's kde expert, Ngo Than, appears to have attempted fixes for RHEL2.1 and RHEL3 that used the system libtiff, eventually discarding those fixes to instead make internal fixes to the kdegraphics' package's internal libtiff instead. Here's the changelog from the RHEL3 packages from Red Hat's 2005-04-12 announcement of RHSA-2005-0021 <http://rhn.redhat.com/errata/RHSA-2005-021.html> (RHEL2's looks very similar): * Thu Feb 03 2005 Than Ngo <than> 7:3.1.3-3.7 - fix internel libtiff instead using system libtiff * Thu Dec 09 2004 Than Ngo <than> 7:3.1.3-3.6 - backport CVS patch to fix kfax for using fax2ps and tiff2ps directly instead own old libtiff - backport CVS patch to fix kfax crash * Fri Oct 29 2004 Than Ngo <than> 7:3.1.3-3.5 - fix buildprereq on s390/s390x * Wed Oct 12 2004 Than Ngo <than> 7:3.1.3-3.4 - Fix kfax to use system libtiff - Add missing Prereq /sbin/ldconfig SO, since Rob's packages are lost, and Red Hat decided to go a different direction than Rob did anyway, my thought would be to toss this bug report and start with a new, fresh bug report and fresh kdegraphics packages, using Red Hat's patches for the CAN-2004-{0803,0804,0886} issues we had handled here, and then adding the new patches in that new bug report. That'll get rid of a lot of cruft for folks to have to sort through... What do you all think??? That would probably be the best way to go. You've got my vote. Sure, the closer we're to upstream, the better. i didn't realize those packages had become unavailable. that should be resolved now in case they are needed for reference. sorry for the inconvenience. Thanks, Rob! We may need them! Red Hat Linux and Fedora Core releases <=4 are now completely unmaintained. These bugs can't be fixed in these versions. If the issue still persists in current Fedora Core releases, please reopen. Thank you, and sorry about this. |