ports/129959: [patch] [vuxml] net/vinagre: fix security issue and update to 0.5.2

[Eygene Ryabinkin]

>Number:         129959
>Category:       ports
>Synopsis:       [patch] [vuxml] net/vinagre: fix security issue and update to 0.5.2
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 26 17:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

CORE Security Technologies informed about vulnerability in vinagre:
-----
A format string error has been found on the 'vinagre_utils_show_error()'
function that can be exploited via commands issued from a malicious
server containing format string specifiers on the VNC name.

In a web based attack scenario, the user would be required to connect to
a malicious server. Successful exploitation would then allow the
attacker to execute arbitrary code with the privileges of the Vinagre user.
-----

Advisory says about 2.24.2 as the first non-vulnerable version.  The
update to the branch 2.24 were made at 05 Dec 2008.  The corresponding
update to the 0.5 branch were made at 05 Dec 2008 and the new version is
0.5.2.

Fix for 2.24 is here:
  http://svn.gnome.org/viewvc/vinagre/branches/gnome-2-24/src/vinagre-utils.c?r1=490&r2=525&view=patch

Fix for 0.5.2 was merged from branch gnome-2-22:
  http://svn.gnome.org/viewvc/vinagre/tags/VINAGRE_0_5_2/src/vinagre-utils.c?view=log

And the fix for branch gnome-2-22,
  http://svn.gnome.org/viewvc/vinagre/branches/gnome-2-22/src/vinagre-utils.c?r1=252&r2=528&pathrev=528
is the same as for 2.24.

>How-To-Repeat:

  http://www.coresecurity.com/content/vinagre-format-string
  http://ftp.gnome.org/pub/GNOME/sources/vinagre/0.5/vinagre-0.5.2.news
  http://ftp.gnome.org/pub/GNOME/sources/vinagre/2.24/vinagre-2.24.2.news

>Fix:

The following patch updates the port to 0.5.2 thus fixing the security
issue:
--- update-to-0.5.2.diff begins here ---
>From 92848964e91e45011537456d4424c5968313cac2 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Fri, 26 Dec 2008 19:41:40 +0300

0.5.2 fixes security issue discovered by CORE Security Technologies:
  http://www.coresecurity.com/content/vinagre-format-string
  http://ftp.gnome.org/pub/GNOME/sources/vinagre/0.5/vinagre-0.5.2.news

Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
 net/vinagre/Makefile |    3 +--
 net/vinagre/distinfo |    6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/net/vinagre/Makefile b/net/vinagre/Makefile
index f4dad51..661184c 100644
--- a/net/vinagre/Makefile
+++ b/net/vinagre/Makefile
@@ -7,8 +7,7 @@
 #
 
 PORTNAME=	vinagre
-PORTVERSION=	0.5.1
-PORTREVISION=	3
+PORTVERSION=	0.5.2
 CATEGORIES=	net gnome
 MASTER_SITES=	${MASTER_SITE_GNOME}
 MASTER_SITE_SUBDIR=	sources/${PORTNAME}/${PORTVERSION:C/^([0-9]+\.[0-9]+).*/\1/}
diff --git a/net/vinagre/distinfo b/net/vinagre/distinfo
index ffe1f67..e8cb385 100644
--- a/net/vinagre/distinfo
+++ b/net/vinagre/distinfo
@@ -1,3 +1,3 @@
-MD5 (gnome2/vinagre-0.5.1.tar.bz2) = 48e0079631952216743720fa1c59f621
-SHA256 (gnome2/vinagre-0.5.1.tar.bz2) = 971d32e74b553a68babfed14bedb1118c9882e1f1e5614889ec6f0795885e2a3
-SIZE (gnome2/vinagre-0.5.1.tar.bz2) = 1048927
+MD5 (gnome2/vinagre-0.5.2.tar.bz2) = abf277899e28ec9beea9a2f7c331267d
+SHA256 (gnome2/vinagre-0.5.2.tar.bz2) = b45f084343ad892bc303e2d0dada186d588ae6f0ccc419340024a2533e5a775b
+SIZE (gnome2/vinagre-0.5.2.tar.bz2) = 1031512
-- 
1.6.0.6

--- update-to-0.5.2.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="214e8e07-d369-11dd-b800-001b77d09812">
    <topic>vinagre -- format string vulnerability</topic>
    <affects>
      <package>
        <name>vinagre</name>
        <range><lt>0.5.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>CORE Security Technologies reports:</p>
        <blockquote
          cite="http://www.coresecurity.com/content/vinagre-format-string">
          <p>A format string error has been found on the
          vinagre_utils_show_error() function that can be exploited via
          commands issued from a malicious server containing format
          string specifiers on the VNC name.</p>
          <p>In a web based attack scenario, the user would be required
          to connect to a malicious server. Successful exploitation
          would then allow the attacker to execute arbitrary code with
          the privileges of the Vinagre user.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <bid>32682</bid>
      <url>http://www.coresecurity.com/content/vinagre-format-string</url>
      <url>http://ftp.gnome.org/pub/GNOME/sources/vinagre/0.5/vinagre-0.5.2.news</url>
    </references>
    <dates>
      <discovery>09-12-2008</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: