svn commit: r401780 - head/print/a2ps/files

Jason Unovitch junovitch at FreeBSD.org
Fri Nov 20 03:33:56 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, Nov 16, 2015 at 06:38:57PM +0000, Dirk Meyer wrote:
> Author: dinoex
> Date: Mon Nov 16 18:38:56 2015
> New Revision: 401780
> URL: https://svnweb.freebsd.org/changeset/ports/401780
> 
> Log:
>   - fix for malicious crafted a2ps prologue files
>   Security: CVE-2015-8107
>   Security: http://www.openwall.com/lists/oss-security/2015/11/16/4
>   Submitted by:	feld
>   Obtained from:	http://www.openwall.com/
> 
> Added:
>   head/print/a2ps/files/patch-output.c   (contents, props changed)
> 
> Added: head/print/a2ps/files/patch-output.c
> ==============================================================================
> --- /dev/null	00:00:00 1970	(empty, because file is newly added)
> +++ head/print/a2ps/files/patch-output.c	Mon Nov 16 18:38:56 2015	(r401780)
> @@ -0,0 +1,13 @@
> +Fix for CVE-2015-8107
> +http://www.openwall.com/lists/oss-security/2015/11/16/4
> +--- lib/output.c.orig  2015-11-16 15:29:38 UTC
> ++++ lib/output.c
> +@@ -525,7 +525,7 @@ output_file (struct output * out, a2ps_j
> +                    expand_user_string (job, FIRST_FILE (job),
> +                                        (const uchar *) "Expand: requirement",
> +                                        (const uchar *) token));
> +-      output (dest, expansion);
> ++      output (dest, "%s", expansion);
> +       continue;
> +       }
> +
> 
Dirk,
Hi there.  this resolves the issue but without a PORTREVISION bump
there's no way for an end user to know if the issue has actually been
fixed or not.  Can you bump PORTREVISION?  (Note this also looks like it
needs MFH, likely with r398049 and r401844 given the nature of both
commmits)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQF8BAEBCgBmBQJWTpScXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NURGNTQ1OTkzQkJFMzc3OTNDQUNERUU2
RkQ0OUMzMDE2MUNBQTZFAAoJEG/UnDAWHKpuDt4H/2UhLBF7KtYCuDPD273Zf6NO
AywfX1OzpcT9JxNzljHFbGwVMD+HE/sFAlOCWvf/2GZd0WD0ztIxns8hdLXg77x0
IQJrV7a4G1QWQ8ROHmIZl/sCDFE61RmRamEp1H7zZbtCvUwq/a4BR8kyIPm48ge5
SgjfFvRRX7yN8mm2nVgX0Veo6OAk2lTcmB1yMrIjjjRPcNcplGKDgq355DYdC/MY
ENlpUe93FOlXIYWMutBPl6p4XQU8ZC9S2IfPfx2ZFokxjPzTN2XhxWoogm/tqj5r
VszIx1VNnJSRda0PsOEuTuwIat/xGeQzV4sPhPyRoFXMBLwbhtGr9QITpQ3Q9pI=
=fFQ9
-----END PGP SIGNATURE-----

More information about the svn-ports-all mailing list