cvs commit: ports/graphics/gd Makefile ports/graphics/gd/files patch-cve-2009-3546

Xin LI delphij at delphij.net
Mon Nov 9 04:30:58 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wesley Shields wrote:
> On Sat, Nov 07, 2009 at 08:52:25AM +0000, N.J. Mann wrote:
>> In message <200911062137.nA6LbG1U080346 at repoman.freebsd.org>,
>> 	Dirk Meyer (dinoex at FreeBSD.org) wrote:
>>> dinoex      2009-11-06 21:37:16 UTC
>>>
>>>   FreeBSD ports repository
>>>
>>>   Modified files:
>>>     graphics/gd          Makefile 
>>>   Added files:
>>>     graphics/gd/files    patch-cve-2009-3546 
>>>   Log:
>>>   - Security patch
>>>   Security: CVE-2009-3546
>>>   Security: http://portaudit.freebsd.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html
>>>   PR:             140335
>>>   Submitted by:   Eygene Ryabinkin
>>>   Obtained from:  PHP project
>>>   
>>>   Revision  Changes    Path
>>>   1.92      +1 -1      ports/graphics/gd/Makefile
>>>   1.1       +15 -0     ports/graphics/gd/files/patch-cve-2009-3546 (new)
>> I think there is something wrong with the vulnerabilities entry for this
>> port which stops this update completing.  I just tried updating this
>> port from gd-2.0.35_1,1 to gd-2.0.35_2,1 and got:
>>
>>
>> ===>  gd-2.0.35_2,1 has known vulnerabilities:
>> => gd -- '_gdGetColors' remote buffer overflow vulnerability.
>>    Reference: <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>
>> => Please update your ports tree and try again.
>> *** Error code 1
>>
>> Stop in /usr/ports/graphics/gd.
>> *** Error code 1
>>
>> Stop in /usr/ports/graphics/gd.
>>
>>
>> I had a look at the portaudit entry at the URL given.  I am unfamiliar
>> with the syntax of these entries, but the 'Affects' entries look
>> suspicious to me, e.g. "gd >0'.  Does it need correcting?
> 
> Yes, and I have fixed it for graphics/gd. I'm unsure about the status of
> the other ports mentioned in the entry so I left them alone.

Thanks!

Note that I remember that there is some other problems with the current
gd version, I'll follow up with dinoex@ and ale@ later for these issue,
if they really exist.

Cheers,
- --
Xin LI <delphij at delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!	       Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEARECAAYFAkr3muwACgkQi+vbBBjt66CUKACgg/Aw717R2kSqi6z7yGzkuQty
0gAAoJ7CY6BRmkEPQfHC8aCmFxuAurWQ
=AF2S
-----END PGP SIGNATURE-----

More information about the cvs-ports mailing list