From owner-cvs-ports@FreeBSD.ORG  Mon Nov  9 04:30:58 2009
Return-Path: <owner-cvs-ports@FreeBSD.ORG>
Delivered-To: cvs-ports@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 58A97106566C;
	Mon,  9 Nov 2009 04:30:58 +0000 (UTC)
	(envelope-from delphij@delphij.net)
Received: from tarsier.geekcn.org (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net
	[IPv6:2001:470:1f03:2c9::2])
	by mx1.freebsd.org (Postfix) with ESMTP id AFCBD8FC08;
	Mon,  9 Nov 2009 04:30:57 +0000 (UTC)
Received: from localhost (tarsier.geekcn.org [211.166.10.233])
	by tarsier.geekcn.org (Postfix) with ESMTP id F013C55CD7F1;
	Mon,  9 Nov 2009 12:30:55 +0800 (CST)
X-Virus-Scanned: amavisd-new at geekcn.org
Received: from tarsier.geekcn.org ([211.166.10.233])
	by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new,
	port 10024)
	with ESMTP id jZXcdwPIbpxj; Mon,  9 Nov 2009 12:30:49 +0800 (CST)
Received: from delta.delphij.net (c-69-181-136-105.hsd1.ca.comcast.net
	[69.181.136.105])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by tarsier.geekcn.org (Postfix) with ESMTPSA id 9D03C55CD77A;
	Mon,  9 Nov 2009 12:30:42 +0800 (CST)
DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns;
	h=message-id:date:from:reply-to:organization:user-agent:
	mime-version:to:cc:subject:references:in-reply-to:
	x-enigmail-version:openpgp:content-type:content-transfer-encoding;
	b=mzHiqbKpnjonKDI9mvGsW7LOX0lot+fqwqU+dke4e0ADF6q4a7rF93+FyXdvkRnIY
	jeP5pp7FD+PRE73bs9Dkg==
Message-ID: <4AF79AEC.9060408@delphij.net>
Date: Sun, 08 Nov 2009 20:30:36 -0800
From: Xin LI <delphij@delphij.net>
Organization: The Geek China Organization
User-Agent: Thunderbird 2.0.0.23 (X11/20091022)
MIME-Version: 1.0
To: Wesley Shields <wxs@FreeBSD.ORG>
References: <200911062137.nA6LbG1U080346@repoman.freebsd.org>
	<20091107085225.GA10184@titania.njm.me.uk>
	<20091108233413.GA85488@atarininja.org>
In-Reply-To: <20091108233413.GA85488@atarininja.org>
X-Enigmail-Version: 0.95.7
OpenPGP: id=18EDEBA0;
	url=http://www.delphij.net/delphij.asc
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Dirk Meyer <dinoex@FreeBSD.ORG>, cvs-ports@FreeBSD.ORG, cvs-all@FreeBSD.ORG,
	ports-committers@FreeBSD.ORG
Subject: Re: cvs commit: ports/graphics/gd Makefile ports/graphics/gd/files
 patch-cve-2009-3546
X-BeenThere: cvs-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: d@delphij.net
List-Id: CVS commit messages for the ports tree <cvs-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-ports>
List-Post: <mailto:cvs-ports@freebsd.org>
List-Help: <mailto:cvs-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 04:30:58 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wesley Shields wrote:
> On Sat, Nov 07, 2009 at 08:52:25AM +0000, N.J. Mann wrote:
>> In message <200911062137.nA6LbG1U080346@repoman.freebsd.org>,
>> 	Dirk Meyer (dinoex@FreeBSD.org) wrote:
>>> dinoex      2009-11-06 21:37:16 UTC
>>>
>>>   FreeBSD ports repository
>>>
>>>   Modified files:
>>>     graphics/gd          Makefile 
>>>   Added files:
>>>     graphics/gd/files    patch-cve-2009-3546 
>>>   Log:
>>>   - Security patch
>>>   Security: CVE-2009-3546
>>>   Security: http://portaudit.freebsd.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html
>>>   PR:             140335
>>>   Submitted by:   Eygene Ryabinkin
>>>   Obtained from:  PHP project
>>>   
>>>   Revision  Changes    Path
>>>   1.92      +1 -1      ports/graphics/gd/Makefile
>>>   1.1       +15 -0     ports/graphics/gd/files/patch-cve-2009-3546 (new)
>> I think there is something wrong with the vulnerabilities entry for this
>> port which stops this update completing.  I just tried updating this
>> port from gd-2.0.35_1,1 to gd-2.0.35_2,1 and got:
>>
>>
>> ===>  gd-2.0.35_2,1 has known vulnerabilities:
>> => gd -- '_gdGetColors' remote buffer overflow vulnerability.
>>    Reference: <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>
>> => Please update your ports tree and try again.
>> *** Error code 1
>>
>> Stop in /usr/ports/graphics/gd.
>> *** Error code 1
>>
>> Stop in /usr/ports/graphics/gd.
>>
>>
>> I had a look at the portaudit entry at the URL given.  I am unfamiliar
>> with the syntax of these entries, but the 'Affects' entries look
>> suspicious to me, e.g. "gd >0'.  Does it need correcting?
> 
> Yes, and I have fixed it for graphics/gd. I'm unsure about the status of
> the other ports mentioned in the entry so I left them alone.

Thanks!

Note that I remember that there is some other problems with the current
gd version, I'll follow up with dinoex@ and ale@ later for these issue,
if they really exist.

Cheers,
- --
Xin LI <delphij@delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!	       Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEARECAAYFAkr3muwACgkQi+vbBBjt66CUKACgg/Aw717R2kSqi6z7yGzkuQty
0gAAoJ7CY6BRmkEPQfHC8aCmFxuAurWQ
=AF2S
-----END PGP SIGNATURE-----