From owner-freebsd-ports-bugs@FreeBSD.ORG  Sat May  3 12:40:01 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3AD3F106567C
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sat,  3 May 2008 12:40:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 291E68FC1A
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sat,  3 May 2008 12:40:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m43Ce0tF094134
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Sat, 3 May 2008 12:40:00 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m43Ce04a094133;
	Sat, 3 May 2008 12:40:00 GMT (envelope-from gnats)
Resent-Date: Sat, 3 May 2008 12:40:00 GMT
Resent-Message-Id: <200805031240.m43Ce04a094133@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Henrik Brix Andersen <brix@bFreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E08C8106564A;
	Sat,  3 May 2008 12:38:21 +0000 (UTC)
	(envelope-from brix@lothlorien.brixandersen.dk)
Received: from solow.pil.dk (relay.pil.dk [195.41.47.164])
	by mx1.freebsd.org (Postfix) with ESMTP id 9CABB8FC22;
	Sat,  3 May 2008 12:38:21 +0000 (UTC)
	(envelope-from brix@lothlorien.brixandersen.dk)
Received: from lothlorien.brixandersen.dk (0x55534f5f.adsl.cybercity.dk
	[85.83.79.95]) by solow.pil.dk (Postfix) with ESMTP id 62E061CC162;
	Sat,  3 May 2008 14:22:05 +0200 (CEST)
Received: by lothlorien.brixandersen.dk (Postfix, from userid 1001)
	id D64D01142B; Sat,  3 May 2008 14:22:04 +0200 (CEST)
Message-Id: <20080503122204.D64D01142B@lothlorien.brixandersen.dk>
Date: Sat,  3 May 2008 14:22:04 +0200 (CEST)
From: Henrik Brix Andersen <brix@lothlorien.brixandersen.dk>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: alexbl@FreeBSD.org
Subject: ports/123366: [patch] Security update for graphics/swfdec
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Henrik Brix Andersen <brix@bFreeBSD.org>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 May 2008 12:40:01 -0000


>Number:         123366
>Category:       ports
>Synopsis:       [patch] Security update for graphics/swfdec
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 03 12:40:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Henrik Brix Andersen
>Release:        FreeBSD 8.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD lothlorien.brixandersen.dk 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Fri May 2 13:48:00 CEST 2008 root@lothlorien.brixandersen.dk:/usr/obj/usr/src/sys/LOTHLORIEN-DEBUG i386


	
>Description:

>From http://secunia.com/advisories/29915/ :

"A vulnerability has been reported in swfdec, which can be exploited
by malicious people to disclose sensitive information.

The vulnerability is caused due to swfdec not properly restricting
untrusted sandboxes from reading local files, which can be exploited
to disclose the content of arbitrary local files by e.g. tricking a
user into visiting a malicious website.

The vulnerability is reported in versions prior to 0.6.4."

	
>How-To-Repeat:
	
>Fix:

Below is a patch for updating graphics/swfdec to version 0.6.6. Please
note that the patch removes files/patch-swfdec-gtk_swfdec_gtk_system.c
which is no longer needed with this release.

The patch also corrects the include of bsd.port.*.mk - .pre.mk must be
included before testing OPTIONS.

	

--- swfdec.diff begins here ---
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/graphics/swfdec/Makefile,v
retrieving revision 1.52
diff -u -p -r1.52 Makefile
--- Makefile	24 Mar 2008 03:49:48 -0000	1.52
+++ Makefile	3 May 2008 12:14:16 -0000
@@ -7,8 +7,7 @@
 #
 
 PORTNAME=	swfdec
-PORTVERSION=	0.6.0
-PORTREVISION=	1
+PORTVERSION=	0.6.6
 CATEGORIES=	graphics
 MASTER_SITES=	http://swfdec.freedesktop.org/download/swfdec/0.6/
 
@@ -31,6 +30,8 @@ OPTIONS=	GSTREAMER "Support for decoding
 
 PLIST_SUB=	VERSION=${PORTVERSION:R}
 
+.include <bsd.port.pre.mk>
+
 .if defined(WITH_GSTREAMER)
 USE_GSTREAMER=	yes
 .else
@@ -41,4 +42,5 @@ CONFIGURE_ARGS+=	--disable-gstreamer --e
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|SWFDEC_LIBVERSION="0:0:0"|SWFDEC_LIBVERSION="1:0:0"|' ${WRKSRC}/configure.ac
-.include <bsd.port.mk>
+
+.include <bsd.port.post.mk>
Index: distinfo
===================================================================
RCS file: /home/pcvs/ports/graphics/swfdec/distinfo,v
retrieving revision 1.18
diff -u -p -r1.18 distinfo
--- distinfo	24 Mar 2008 03:49:48 -0000	1.18
+++ distinfo	3 May 2008 12:14:16 -0000
@@ -1,3 +1,3 @@
-MD5 (swfdec-0.6.0.tar.gz) = c012a5e6dd23558b86d2e08e2e43857b
-SHA256 (swfdec-0.6.0.tar.gz) = bd7c9068ce545ef75f8820b94f6b0954194ca5b106a53463bf9a6ed448fa057f
-SIZE (swfdec-0.6.0.tar.gz) = 8762575
+MD5 (swfdec-0.6.6.tar.gz) = 3e91d48e0b8b839e12ff8f9ced4b5040
+SHA256 (swfdec-0.6.6.tar.gz) = 46d95b19f6a855ee95671928f1d23cd3991a151131a13fa89d2c388ad20e4a82
+SIZE (swfdec-0.6.6.tar.gz) = 8773316
Index: files/patch-swfdec-gtk_swfdec_gtk_system.c
===================================================================
RCS file: files/patch-swfdec-gtk_swfdec_gtk_system.c
diff -N files/patch-swfdec-gtk_swfdec_gtk_system.c
--- files/patch-swfdec-gtk_swfdec_gtk_system.c	24 Mar 2008 03:49:49 -0000	1.1
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,16 +0,0 @@
---- swfdec-gtk/swfdec_gtk_system.c.orig	2008-02-22 15:38:09.000000000 -0500
-+++ swfdec-gtk/swfdec_gtk_system.c	2008-02-22 15:38:13.000000000 -0500
-@@ -114,8 +114,12 @@ swfdec_gtk_system_get_language (void)
- static int
- swfdec_gtk_system_get_utc_offset (void)
- {
-+  struct tm *t;
-+  time_t tt;
-   tzset ();
--  return timezone / 60;
-+  tt = time (NULL);
-+  t = localtime (&tt);
-+  return t->tm_gmtoff / 60;
- }
- 
- /*** PUBLIC API ***/
--- swfdec.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: