From owner-freebsd-ports@FreeBSD.ORG Mon Mar 31 04:24:24 2003 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B17A437B401 for ; Mon, 31 Mar 2003 04:24:24 -0800 (PST) Received: from nerone.sito.it (adsl054.18.cyb.it [195.191.18.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56E2743F75 for ; Mon, 31 Mar 2003 04:24:23 -0800 (PST) (envelope-from davide.lemma@sito.it) Received: from dado.sito.it (nerone.sito.it [192.168.1.1]) by nerone.sito.it (8.12.8/8.11.5) with SMTP id h2VCOrL9018536 for ; Mon, 31 Mar 2003 14:24:54 +0200 (CEST) Date: Mon, 31 Mar 2003 13:24:20 +0200 From: Davide Lemma To: ports@freebsd.org Message-Id: <20030331132420.0b94c5ae.davide.lemma@sito.it> Organization: S.I.TO (Sistemi Informatici Torino) X-Mailer: Sylpheed version 0.8.11 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: again... serious security hole in a port (dcgui/dclib) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 12:24:26 -0000 Hello again... really frustated this will be my last attempt to try to commit a fresh updated rebuild of a port with a really serious security hole. The port is dcgui/dclib, as reported by original developer (i'm in the developing team too), there is a high security hole in all versions of the software prior to version 0.2.3. This bug can compromise the whole system. The software permits to share, with other similar clients, one or more directories of the system. With all versions prior to 0.2.3 version is possible due to a bug to see all the content of the whole filesystem and not just the configured directories. I've yet advised the official port's maintainer more than one month ago, but the answer was that he was leaving the port maintainment. I've yet sent trought send-pr the new diff files to update the port. Current version is 0.2.8, while in the port tree there is yet 0.1.11beta version!! (one year and half older). Hoping that with this advise will be taken soon a decision. Most users don't know how can be dangerous this kind of bug and they can have their system compromised so easy. Thank in advance for attention. Best regards, Davide Lemma -- Davide Lemma >> Sistemi Informatici Torino >> www.sito.it GPG Publick Key: http://www.sito.it/davidelemma_pubkey.txt GPG FingerPrint: DC91 31EC 163C 24FE E0E2 6DC6 5580 F134 D4EB 694D