Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 7 Nov 2009 08:52:25 +0000
From:      "N.J. Mann" <njm@njm.me.uk>
To:        Dirk Meyer <dinoex@FreeBSD.org>
Cc:        cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org
Subject:   Re: cvs commit: ports/graphics/gd Makefile ports/graphics/gd/files patch-cve-2009-3546
Message-ID:  <20091107085225.GA10184@titania.njm.me.uk>
In-Reply-To: <200911062137.nA6LbG1U080346@repoman.freebsd.org>
References:  <200911062137.nA6LbG1U080346@repoman.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
In message <200911062137.nA6LbG1U080346@repoman.freebsd.org>,
	Dirk Meyer (dinoex@FreeBSD.org) wrote:
> dinoex      2009-11-06 21:37:16 UTC
> 
>   FreeBSD ports repository
> 
>   Modified files:
>     graphics/gd          Makefile 
>   Added files:
>     graphics/gd/files    patch-cve-2009-3546 
>   Log:
>   - Security patch
>   Security: CVE-2009-3546
>   Security: http://portaudit.freebsd.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html
>   PR:             140335
>   Submitted by:   Eygene Ryabinkin
>   Obtained from:  PHP project
>   
>   Revision  Changes    Path
>   1.92      +1 -1      ports/graphics/gd/Makefile
>   1.1       +15 -0     ports/graphics/gd/files/patch-cve-2009-3546 (new)

I think there is something wrong with the vulnerabilities entry for this
port which stops this update completing.  I just tried updating this
port from gd-2.0.35_1,1 to gd-2.0.35_2,1 and got:


===>  gd-2.0.35_2,1 has known vulnerabilities:
=> gd -- '_gdGetColors' remote buffer overflow vulnerability.
   Reference: <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>;
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/graphics/gd.
*** Error code 1

Stop in /usr/ports/graphics/gd.


I had a look at the portaudit entry at the URL given.  I am unfamiliar
with the syntax of these entries, but the 'Affects' entries look
suspicious to me, e.g. "gd >0'.  Does it need correcting?


Cheers,
       Nick.
-- 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091107085225.GA10184>