ports/53546: Update port: graphics/xpdf (includes security fix)
Hideyuki KURASHINA
rushani at FreeBSD.org
Fri Jun 20 09:50:19 UTC 2003
>Number: 53546
>Category: ports
>Synopsis: Update port: graphics/xpdf (includes security fix)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jun 20 02:50:17 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Hideyuki KURASHINA
>Release: FreeBSD 4.8-STABLE i386
>Organization:
>Environment:
System: FreeBSD ***.*******.jp 4.8-STABLE FreeBSD 4.8-STABLE #1: Tue Jun 17 21:39:02 JST 2003
>Description:
Similar to ports/53479, xpdf before 2.02pl1 contains a vulnerability
that is possible to construct a malicious URL link in a PDF file
which causes an arbitrary command to be run.
From xpdf 2.02pl1, allowable characters to be used in URL strings
are based more strict policy. In former releases, xpdf does filtering
single quotation marks (') and double-quotation marks ("), but not
back-quotation marks (`).
See following references for details.
Xpdf, Current version
http://www.foolabs.com/xpdf/download.html
[Full-Disclosure] -10Day CERT Advisory on PDF Files
http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html
Xpdf Information for VU#200132
http://www.kb.cert.org/vuls/id/IAFY-5MQRU8
>How-To-Repeat:
N/A (I couldn't reproduce this vulnerability).
>Fix:
Update xpdf port as follows;
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/graphics/xpdf/Makefile,v
retrieving revision 1.49
diff -u -r1.49 Makefile
--- Makefile 7 Apr 2003 00:43:45 -0000 1.49
+++ Makefile 20 Jun 2003 08:05:45 -0000
@@ -6,7 +6,7 @@
#
PORTNAME= xpdf
-PORTVERSION= 2.02
+PORTVERSION= 2.02pl1
CATEGORIES= graphics print
MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/ \
${MASTER_SITE_TEX_CTAN}
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/graphics/xpdf/distinfo,v
retrieving revision 1.20
diff -u -r1.20 distinfo
--- distinfo 7 Apr 2003 00:43:45 -0000 1.20
+++ distinfo 20 Jun 2003 08:06:15 -0000
@@ -1 +1 @@
-MD5 (xpdf-2.02.tar.gz) = fb54402d98fb834e5778163cfc238b44
+MD5 (xpdf-2.02pl1.tar.gz) = e2932bb0f844d8318c940350c2aa2eb6
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list