cvs commit: ports/graphics/gd Makefile ports/graphics/gd/files
patch-cve-2009-3546
N.J. Mann
njm at njm.me.uk
Sat Nov 7 08:52:29 UTC 2009
In message <200911062137.nA6LbG1U080346 at repoman.freebsd.org>,
Dirk Meyer (dinoex at FreeBSD.org) wrote:
> dinoex 2009-11-06 21:37:16 UTC
>
> FreeBSD ports repository
>
> Modified files:
> graphics/gd Makefile
> Added files:
> graphics/gd/files patch-cve-2009-3546
> Log:
> - Security patch
> Security: CVE-2009-3546
> Security: http://portaudit.freebsd.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html
> PR: 140335
> Submitted by: Eygene Ryabinkin
> Obtained from: PHP project
>
> Revision Changes Path
> 1.92 +1 -1 ports/graphics/gd/Makefile
> 1.1 +15 -0 ports/graphics/gd/files/patch-cve-2009-3546 (new)
I think there is something wrong with the vulnerabilities entry for this
port which stops this update completing. I just tried updating this
port from gd-2.0.35_1,1 to gd-2.0.35_2,1 and got:
===> gd-2.0.35_2,1 has known vulnerabilities:
=> gd -- '_gdGetColors' remote buffer overflow vulnerability.
Reference: <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>
=> Please update your ports tree and try again.
*** Error code 1
Stop in /usr/ports/graphics/gd.
*** Error code 1
Stop in /usr/ports/graphics/gd.
I had a look at the portaudit entry at the URL given. I am unfamiliar
with the syntax of these entries, but the 'Affects' entries look
suspicious to me, e.g. "gd >0'. Does it need correcting?
Cheers,
Nick.
--
More information about the cvs-ports
mailing list