cvs commit: ports/graphics/gd Makefile ports/graphics/gd/files
patch-cve-2009-3546
Wesley Shields
wxs at FreeBSD.org
Sun Nov 8 23:34:15 UTC 2009
On Sat, Nov 07, 2009 at 08:52:25AM +0000, N.J. Mann wrote:
> In message <200911062137.nA6LbG1U080346 at repoman.freebsd.org>,
> Dirk Meyer (dinoex at FreeBSD.org) wrote:
> > dinoex 2009-11-06 21:37:16 UTC
> >
> > FreeBSD ports repository
> >
> > Modified files:
> > graphics/gd Makefile
> > Added files:
> > graphics/gd/files patch-cve-2009-3546
> > Log:
> > - Security patch
> > Security: CVE-2009-3546
> > Security: http://portaudit.freebsd.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html
> > PR: 140335
> > Submitted by: Eygene Ryabinkin
> > Obtained from: PHP project
> >
> > Revision Changes Path
> > 1.92 +1 -1 ports/graphics/gd/Makefile
> > 1.1 +15 -0 ports/graphics/gd/files/patch-cve-2009-3546 (new)
>
> I think there is something wrong with the vulnerabilities entry for this
> port which stops this update completing. I just tried updating this
> port from gd-2.0.35_1,1 to gd-2.0.35_2,1 and got:
>
>
> ===> gd-2.0.35_2,1 has known vulnerabilities:
> => gd -- '_gdGetColors' remote buffer overflow vulnerability.
> Reference: <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>
> => Please update your ports tree and try again.
> *** Error code 1
>
> Stop in /usr/ports/graphics/gd.
> *** Error code 1
>
> Stop in /usr/ports/graphics/gd.
>
>
> I had a look at the portaudit entry at the URL given. I am unfamiliar
> with the syntax of these entries, but the 'Affects' entries look
> suspicious to me, e.g. "gd >0'. Does it need correcting?
Yes, and I have fixed it for graphics/gd. I'm unsure about the status of
the other ports mentioned in the entry so I left them alone.
Thanks!
-- WXS
More information about the cvs-ports
mailing list