ports/53546: Update port: graphics/xpdf (includes security fix)

Fri Jun 20 09:50:19 UTC 2003

>Number:         53546
>Category:       ports
>Synopsis:       Update port: graphics/xpdf (includes security fix)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 20 02:50:17 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Hideyuki KURASHINA
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
>Environment:

	System: FreeBSD ***.*******.jp 4.8-STABLE FreeBSD 4.8-STABLE #1: Tue Jun 17 21:39:02 JST 2003

>Description:

	Similar to ports/53479, xpdf before 2.02pl1 contains a vulnerability
	that is possible to construct a malicious URL link in a PDF file
	which causes an arbitrary command to be run.

	From xpdf 2.02pl1, allowable characters to be used in URL strings
	are based more strict policy. In former releases, xpdf does filtering
	single quotation marks (') and double-quotation marks ("), but not
	back-quotation marks (`).

	See following references for details.

	  Xpdf, Current version 
	    http://www.foolabs.com/xpdf/download.html
	  [Full-Disclosure] -10Day CERT Advisory on PDF Files
	    http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html
	  Xpdf Information for VU#200132
	    http://www.kb.cert.org/vuls/id/IAFY-5MQRU8

>How-To-Repeat:

	N/A (I couldn't reproduce this vulnerability).

>Fix:

	Update xpdf port as follows;

Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/graphics/xpdf/Makefile,v
retrieving revision 1.49
diff -u -r1.49 Makefile

--- Makefile	7 Apr 2003 00:43:45 -0000	1.49
+++ Makefile	20 Jun 2003 08:05:45 -0000
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	xpdf
-PORTVERSION=	2.02
+PORTVERSION=	2.02pl1
 CATEGORIES=	graphics print
 MASTER_SITES=	ftp://ftp.foolabs.com/pub/xpdf/ \
 		${MASTER_SITE_TEX_CTAN}
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/graphics/xpdf/distinfo,v
retrieving revision 1.20
diff -u -r1.20 distinfo
--- distinfo	7 Apr 2003 00:43:45 -0000	1.20
+++ distinfo	20 Jun 2003 08:06:15 -0000
@@ -1 +1 @@
-MD5 (xpdf-2.02.tar.gz) = fb54402d98fb834e5778163cfc238b44
+MD5 (xpdf-2.02pl1.tar.gz) = e2932bb0f844d8318c940350c2aa2eb6



>Release-Note:
>Audit-Trail:
>Unformatted:

