Bug 152816 - CAN-2004-0803,0803,0886 kdefax libtiff remote code execution
CAN-2004-0803,0803,0886 kdefax libtiff remote code execution
Status: CLOSED CANTFIX
Product: Fedora Legacy
Classification: Retired
Component: kdegraphics (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://bugzilla.redhat.com/bugzilla/...
1, LEGACY, rh73, rh90, NEEDSWORK
: Security
Depends On:
Blocks: Leg-KDE-Track
  Show dependency treegraph
 
Reported: 2004-10-16 05:10 EDT by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-11 20:06:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:28:28 EST
kdefax contains it's own libtiff library which contains the libtiff vulnerabilities:

CAN-2004-0803

    Chris Evans discovered several problems in the RLE (run length
    encoding) decoders that could lead to arbitrary code execution.

CAN-2004-0804

    Matthias Clasen discovered a division by zero through an integer
    overflow.

CAN-2004-0886

    Dmitry V. Levin discovered several integer overflows that caused
    malloc issues which can result to either plain crash or memory
    corruption.

Reference:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135471
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135470
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135469
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135466



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-10-29 07:51:02 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here is an updated kdepgraphics package to QA for fc1:
 
this package should fix:
- - CAN-2004-0803,0803,0886 kdefax libtiff remote code execution
- - compilation under mach
 
notes:
the same patch (or very similar) should work with rh90 package.  but
i figured i'd go ahead and submit these for QA since i'll be away
for a few days.
 
changelog:
* Thu Oct 28 2004 Rob Myers <rob.myers@gtri.gatech.edu> 7:3.1.4-1.1.legacy
- - add fix to link against system libtiff CAN-2004-0886 (FL #2164)
- - add BuildRequires: autoconf automake arts-devel gnome-libs-devel
- - change %ifarch %{scanner_archs} to %ifnarch s390 s390x
 
sha1sums:
f6995e7782b7a0968aef80413bb7079c1e9112a5  kdegraphics-3.1.4-1.1.legacy.i386.rpm
cf273e5fd892b30bf87b637e45b66849e731baea  kdegraphics-3.1.4-1.1.legacy.src.rpm
37f45f663e841c7b429470d08a64ee2dba2e10b0 
kdegraphics-debuginfo-3.1.4-1.1.legacy.i386.rpm
fcbd23eb3eb88a2eade16f449bf1c5ab64887f76 
kdegraphics-devel-3.1.4-1.1.legacy.i386.rpm
 
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdegraphics-3.1.4-1.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdegraphics-3.1.4-1.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdegraphics-debuginfo-3.1.4-1.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdegraphics-devel-3.1.4-1.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBgn/ltU2XAt1OWnsRAsruAJ9DF7uGy0Jp2slE1sq0PzavSPZgDwCfZKsk
2Z7uudzVRnomXgI6ID2U4aQ=
=khJK
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-11-04 01:14:50 ----

Via the mailing list (from rob):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here is an updated kdepgraphics package to QA for rh9:
 
this package should fix:
- - CAN-2004-0803,0803,0886 kdefax libtiff remote code execution
- - compilation under mach
 
changelog:
* Fri Oct 29 2004 Rob Myers <rob.myers@gtri.gatech.edu> 3.1-5.1.legacy
- - add fix to link against system libtiff CAN-2004-0886 (FL #2164)
- - add BuildRequires: autoconf automake arts-devel gnome-libs-devel
- - to build in mach: mach chroot "'(cd /usr/lib ; ln -s
libart_lgpl_2.so.2
  libart_lgpl_2.so)'"
- - change %ifarch %{scanner_archs} to %ifnarch s390 s390x
- - add BuildRequires: libusb-devel
 
 
sha1sums:
7ccb38fa7f1408266b5d0e1654703b03d21994a6 
kdegraphics-3.1-5.1.legacy.i386.rpm
6a8c48f3a6f0ef82f1d7d0798402d1cb40befc5d 
kdegraphics-3.1-5.1.legacy.src.rpm
628d626d306417f658959f1ec84b99a603420acb 
kdegraphics-debuginfo-3.1-5.1.legacy.i386.rpm
aa394e19c6afb8314a04b9539797a7747a3420df 
kdegraphics-devel-3.1-5.1.legacy.i386.rpm
 
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdegraphics-3.1-5.1.legacy.sr
c.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdegraphics-3.1-5.1.legacy.i3
86.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdegraphics-debuginfo-3.1-5.1
.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdegraphics-devel-3.1-5.1.leg
acy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBiQFhtU2XAt1OWnsRAn/WAKCb1R4/ZZDPNeXcTYPHsPoZfutHrgCfWh/z
MlqTcOeKjnJnn7bFgb6LXks=
=JDMJ
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-04 04:47:52 ----

dominic, thanks for picking that off the mailing list and posting for me. :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here is an updated kdepgraphics package to QA for rh73:
 
this package should fix:
- - CAN-2004-0803,0803,0886 kdefax libtiff remote code execution
- - compilation under mach
 
notes:
for some reason mach did not strip these binaries.
 
changelog:
* Wed Nov 03 2004 Rob Myers <rob.myers@gtri.gatech.edu> 3.0.5a-0.73.2.legacy
- - add fix to link against system libtiff CAN-2004-0886 (FL #2164)
- - add BuildRequires: autoconf automake libtool arts-devel libusb-devel
 
sha1sums:
d4143615819da32b2863574f00e53d1ce7bca71e  kamera-3.0.5a-0.73.2.legacy.i386.rpm
c439566fbd3babefb9c77b2e854cd6e5446da24e  kcoloredit-3.0.5a-0.73.2.legacy.i386.rpm
e1048b432c9394db59fe7bd3bfbe07b0d960f28e  kdegraphics-3.0.5a-0.73.2.legacy.src.rpm
a0fe284c4d9dadc27d6795dff04232d84fd2a723  kdvi-3.0.5a-0.73.2.legacy.i386.rpm
0c9770e7e394359d5fb7fb9b99a07b6c2cee1fa5  kfax-3.0.5a-0.73.2.legacy.i386.rpm
3361d710494b99faa80e890d639464e37b0a6ed8  kfile-pdf-3.0.5a-0.73.2.legacy.i386.rpm
b04a19d508767b77734cbec080d2023e0eccf163  kfile-png-3.0.5a-0.73.2.legacy.i386.rpm
62515873bab3d63efedd9c492b06a14ab8f4150e  kfract-3.0.5a-0.73.2.legacy.i386.rpm
9d2569cc389136788cac8adb5b01d5595909c63e  kghostview-3.0.5a-0.73.2.legacy.i386.rpm
e014aca2119b795c57696630bc82dddce2bf9df5  kiconedit-3.0.5a-0.73.2.legacy.i386.rpm
f96bedb33b40f334186eb9ea94ed299ab8d3a883  kooka-3.0.5a-0.73.2.legacy.i386.rpm
2abb8238b68ac4ec89850f66da2f8cb72f9305b9  kpaint-3.0.5a-0.73.2.legacy.i386.rpm
e13fb6329b39f3208a22c28e910642910fada9d8  kruler-3.0.5a-0.73.2.legacy.i386.rpm
bf3cc5a3846aef3fcc74b3b1511c012fb45c7c7a  ksnapshot-3.0.5a-0.73.2.legacy.i386.rpm
190f8de9b64ead5899aac0b7727dffa9064ced34  kuickshow-3.0.5a-0.73.2.legacy.i386.rpm
56887e9501e246c176fd157973f70ce77c7ef38d  kview-3.0.5a-0.73.2.legacy.i386.rpm
a28a98c03a422cc5726227f4727efce4ea71ba69  kviewshell-3.0.5a-0.73.2.legacy.i386.rpm
efd566cd4e978cd5d2e70f1ffde457cfcffdf5fa 
kviewshell-devel-3.0.5a-0.73.2.legacy.i386.rpm
c5b6d718816462ea9069ff8ff348a02044c44353  libkscan-3.0.5a-0.73.2.legacy.i386.rpm
e0882379a269a3d8378d0984b35a16a54ac10f81 
libkscan-devel-3.0.5a-0.73.2.legacy.i386.rpm
 
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdegraphics-3.0.5a-0.73.2.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kamera-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kcoloredit-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kdvi-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kfax-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kfile-pdf-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kfile-png-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kfract-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kghostview-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kiconedit-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kooka-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kpaint-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kruler-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/ksnapshot-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kuickshow-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kview-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kviewshell-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/kviewshell-devel-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libkscan-3.0.5a-0.73.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/libkscan-devel-3.0.5a-0.73.2.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBikChtU2XAt1OWnsRAvzdAKCW3RXKMQbnHIxgFfL1ktq8nEnsxwCfSOVA
9GMcfhO13eFIuMQS+l4AG3I=
=9Teh
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-21 20:29:56 ----

Uh-oh, these just hit bugtraq:

====
libtiff Directory Entry Count Integer Overflow Vulnerability
                                                                               
                
iDEFENSE Security Advisory 12.21.04
www.idefense.com/application/poi/display?id=174&type=vulnerabilities
====
libtiff STRIPOFFSETS Integer Overflow Vulnerability
                                                                               
                
iDEFENSE Security Advisory 12.21.04
www.idefense.com/application/poi/display?id=173&type=vulnerabilities
December 21, 2004
====

The patch is included in one of the above, and the second is fixed in 3.7.0.
I guess this requires repackaging...

It'll also need to be verified that 0929 is not applicable (ie., kdefax does not
incorporate OJPEG support).

If it would be easy to achieve, I'd consider ripping out the own libtiff
implementation and replacing it with linking.. but the world is not a perfect
place..




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-22 17:57:20 ----

am i missing something or don't all the packages i submitted link against the
system libtiff?



------- Additional Comments From pekkas@netcore.fi 2004-12-22 22:17:21 ----

Sorry, you're correct, I didn't look at the changelogs closely enough.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for all kdegraphics SRPMS w/ rpm-build-compare:
 - sources are OK
 - spec changes are suitably minimal, buildreqs are OK
 - the patches have been verified to correspond to FC2's update.
 - compilation and building not tested, except RHL9.

On RHL9, I tried to build the package but it at %install for some reason:

[...]
desktop-file-install created an invalid desktop file!
error: Bad exit status from /var/tmp/rpm-tmp.96442 (%install)

Longer warning message is below (non-signed).  This may be caused by my
system or not -- I didn't notice any changes to the packaging on this, so if
this would work in mach build, feel free to push it forward.

+PUBLISH RHL9,RHL73,FC1 (with the building caveat above)

e1048b432c9394db59fe7bd3bfbe07b0d960f28e  kdegraphics-3.0.5a-0.73.2.legacy.src.rpm
cf273e5fd892b30bf87b637e45b66849e731baea  kdegraphics-3.1.4-1.1.legacy.src.rpm
6a8c48f3a6f0ef82f1d7d0798402d1cb40befc5d  kdegraphics-3.1-5.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFByn6mGHbTkzxSL7QRAm68AJwMwB6JlSxDvVhsInqOiq5rpim3ZQCbBG0W
bKWtrMnOVsdtEVMWiSm2byU=
=Me18
-----END PGP SIGNATURE-----

(the output has been cut-off at 80 chars due to me running this in a restricted
environment..)

+ desktop-file-install --vendor kde --dir
/var/tmp/kdegraphics-buildroot/usr/share/applications --delete-originalp
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kcoloredit.desktop:
warning: file contains key "Terminad
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kcoloredit.desktop:
warning: boolean key "Terminal" hasy
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kcoloredit.desktop:
warning: file contains key "BinaryPd
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kcoloredit.desktop:
warning: file contains key "DocPath"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kdvi.desktop: warning:
file contains key "BinaryPatternd
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kdvi.desktop: warning:
file contains key "InitialPrefer"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kdvi.desktop: warning:
file contains key "TerminalOptiod
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kdvi.desktop: warning:
boolean key "Terminal" has valuey
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kdvi.desktop: warning:
file contains key "ServiceTypes""
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kdvi.desktop: warning:
file contains key "DocPath", thi"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kfax.desktop: warning:
file contains key "BinaryPatternd
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kfax.desktop: warning:
file contains key "TerminalOptiod
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kfax.desktop: warning:
boolean key "Terminal" has valuey
+ desktop-file-install --vendor kde --dir
/var/tmp/kdegraphics-buildroot/usr/share/applications --delete-originalp
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-ksnapshot.desktop:
warning: file contains key "BinaryPad
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-ksnapshot.desktop:
warning: file contains key "Terminald
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-ksnapshot.desktop:
warning: boolean key "Terminal" has y
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-ksnapshot.desktop:
warning: file contains key "DocPath""
+ desktop-file-install --vendor kde --dir
/var/tmp/kdegraphics-buildroot/usr/share/applications --delete-originalp
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kuickshow.desktop:
warning: file contains key "DocPath""
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kuickshow.desktop:
warning: boolean key "Terminal" has y
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kuickshow.desktop:
warning: file contains key "InitialP"
+ desktop-file-install --vendor kde --dir
/var/tmp/kdegraphics-buildroot/usr/share/applications --delete-originalp
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kghostview.desktop:
warning: file contains key "Initial"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kghostview.desktop:
warning: file contains key "DocPath"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kghostview.desktop:
warning: boolean key "Terminal" hasy
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kghostview.desktop:
warning: file contains key "Service"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kiconedit.desktop:
warning: file contains key "BinaryPad
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kiconedit.desktop:
warning: file contains key "Terminald
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kiconedit.desktop:
warning: file contains key "DocPath""
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kiconedit.desktop:
warning: boolean key "Terminal" has y
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kpaint.desktop:
warning: file contains key "DocPath", t"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kpaint.desktop:
warning: boolean key "Terminal" has valy
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kruler.desktop:
warning: file contains key "BinaryPatted
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kruler.desktop:
warning: file contains key "DocPath", t"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kruler.desktop:
warning: file contains key "TerminalOptd
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kruler.desktop:
warning: boolean key "Terminal" has valy
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kview.desktop:
warning: file contains key "TerminalOptid
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kview.desktop:
warning: file contains key "DocPath", th"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kview.desktop:
warning: boolean key "Terminal" has valuy
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kview.desktop:
warning: file contains key "BinaryPatterd
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kview.desktop:
warning: file contains key "InitialPrefe"
/var/tmp/kdegraphics-buildroot/usr/share/applnk/Graphics/kpovmodeler.desktop:
missing encoding  (guessed UTF-8)
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kpovmodeler.desktop:
error: required key "Name" not foud
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kpovmodeler.desktop:
warning: file contains key "Binaryd
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kpovmodeler.desktop:
warning: file contains key "DocPat"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kpovmodeler.desktop:
warning: file contains key "Servic"
/var/tmp/kdegraphics-buildroot/usr/share/applications/kde-kpovmodeler.desktop:
warning: file contains key "Termind

desktop-file-install created an invalid desktop file!
error: Bad exit status from /var/tmp/rpm-tmp.96442 (%install)




------- Additional Comments From pekkas@netcore.fi 2005-02-18 21:57:38 ----

Hmm.  I guess this should be ready to go to updates-testing if kdefax now uses
system libtiff and is not vulnerable to newer issues?



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 -------

This bug previously known as bug 2164 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2164
Originally filed under the Fedora Legacy product and Package request component.
Bug depends on bug(s) 2163.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 David Eisenstein 2005-09-22 20:18:07 EDT
Should these packages be built for updates-testing?

Or do they need further QA?

http://rhn.redhat.com/errata/RHSA-2005-021.html
Comment 2 Pekka Savola 2005-09-23 00:34:22 EDT
AFAIK, these have been waiting building in mach for about half a year now, but
sure if there was a compilation problem or something.  Marc, anything we could
do to help with this?
Comment 3 Marc Deslauriers 2005-09-24 20:16:50 EDT
If I remember correctly, I couldn't get these to build successfully in mach with
the same dependencies. I haven't tried them in a while though.
Comment 4 David Eisenstein 2006-02-05 06:11:43 EST
Revisiting kdegraphics, as we now have additional issues, which you can
see in attachment 124200 [details] from Bug #179804 in column F on lines that say 
"kdegraphics".

But the first issue here, I think, is that I cannot find Rob Myers
original packages.  They were reviewed here and source was discerned to
be okay for RHL7.3, RHL9, and FC1 for letting these packages to be built
for updates-testing, but I don't know where the sources are.  I can't
find them on jane nor anywhere else.  But that may be moot anyway. . . .

IN THE MEANTIME, it appears that Red Hat's kde expert, Ngo Than, appears
to have attempted fixes for RHEL2.1 and RHEL3 that used the system libtiff,
eventually discarding those fixes to instead make internal fixes to the
kdegraphics' package's internal libtiff instead.  Here's the changelog
from the RHEL3 packages from Red Hat's 2005-04-12 announcement of
RHSA-2005-0021 <http://rhn.redhat.com/errata/RHSA-2005-021.html> (RHEL2's
looks very similar):

     * Thu Feb 03 2005 Than Ngo <than@redhat.com> 7:3.1.3-3.7
     - fix internel libtiff instead using system libtiff

     * Thu Dec 09 2004 Than Ngo <than@redhat.com> 7:3.1.3-3.6
     - backport CVS patch to fix kfax for using fax2ps and tiff2ps
       directly instead own old libtiff
     - backport CVS patch to fix kfax crash

     * Fri Oct 29 2004 Than Ngo <than@redhat.com> 7:3.1.3-3.5
     - fix buildprereq on s390/s390x

     * Wed Oct 12 2004 Than Ngo <than@redhat.com> 7:3.1.3-3.4
     - Fix kfax to use system libtiff
     - Add missing Prereq /sbin/ldconfig

SO, since Rob's packages are lost, and Red Hat decided to go a different
direction than Rob did anyway, my thought would be to toss this bug report
and start with a new, fresh bug report and fresh kdegraphics packages,
using Red Hat's patches for the CAN-2004-{0803,0804,0886} issues we had
handled here, and then adding the new patches in that new bug report.
That'll get rid of a lot of cruft for folks to have to sort through...

What do you all think???
Comment 5 Marc Deslauriers 2006-02-07 23:35:14 EST
That would probably be the best way to go. You've got my vote.
Comment 6 Pekka Savola 2006-02-09 04:38:41 EST
Sure, the closer we're to upstream, the better.
Comment 7 rob 2006-02-09 08:30:03 EST
i didn't realize those packages had become unavailable.  that should be resolved
now in case they are needed for reference.  sorry for the inconvenience.
Comment 8 David Eisenstein 2006-03-06 21:39:20 EST
Thanks, Rob!  We may need them!
Comment 9 David Eisenstein 2007-04-11 20:06:58 EDT
Red Hat Linux and Fedora Core releases <=4 are now completely unmaintained.
These bugs can't be fixed in these versions. If the issue still persists in
current Fedora Core releases, please reopen.  Thank you, and sorry about this.

Note You need to log in before you can comment on or make changes to this bug.