From owner-svn-ports-all@FreeBSD.ORG  Tue Mar 24 22:15:14 2015
Return-Path: <owner-svn-ports-all@FreeBSD.ORG>
Delivered-To: svn-ports-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 2C9E54DA;
 Tue, 24 Mar 2015 22:15:14 +0000 (UTC)
Received: from exodus.zi0r.com (exodus.zi0r.com [71.179.14.195])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "exodus.zi0r.com", Issuer "Gandi Standard SSL CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id DE4898C;
 Tue, 24 Mar 2015 22:15:13 +0000 (UTC)
Received: from exodus.zi0r.com (localhost [127.0.0.1])
 by exodus.zi0r.com (Postfix) with ESMTP id 99746BEF86;
 Tue, 24 Mar 2015 18:15:11 -0400 (EDT)
X-Virus-Scanned: amavisd-new at zi0r.com
Received: from exodus.zi0r.com ([127.0.0.1])
 by exodus.zi0r.com (exodus.zi0r.com [127.0.0.1]) (amavisd-new, port 10026)
 with LMTP id AhefFwblRyhJ; Tue, 24 Mar 2015 18:15:10 -0400 (EDT)
Received: from exodus.zi0r.com (syn.zi0r.com [71.179.14.194])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by exodus.zi0r.com (Postfix) with ESMTPSA id 929CBBEF84;
 Tue, 24 Mar 2015 18:15:10 -0400 (EDT)
Date: Tue, 24 Mar 2015 18:15:09 -0400
From: Ryan Steinmetz <zi@FreeBSD.org>
To: Brooks Davis <brooks@FreeBSD.org>
Subject: Re: svn commit: r382177 - head/security/vuxml
Message-ID: <20150324221509.GA37845@exodus.zi0r.com>
References: <201503242132.t2OLW4hH013602@svn.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <201503242132.t2OLW4hH013602@svn.freebsd.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org,
 ports-committers@freebsd.org
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 22:15:14 -0000

Brooks,

In the future, please use 'make validate' before committing anything to
vuln.xml.

(You may need to run 'make install' from the vuxml port directory before
'make validate' will work though).

Thanks!
-r

On (03/24/15 21:32), Brooks Davis wrote:
>Author: brooks
>Date: Tue Mar 24 21:32:04 2015
>New Revision: 382177
>URL: https://svnweb.freebsd.org/changeset/ports/382177
>QAT: https://qat.redports.org/buildarchive/r382177/
>
>Log:
>  The ancient version of binutils in the cross-binutils port suffers for
>  several vulnerabilities.
>
>  This also effects devel/mingw64-binutils.
>
>  PR:		198816
>  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
>
>Modified:
>  head/security/vuxml/vuln.xml
>
>Modified: head/security/vuxml/vuln.xml
>==============================================================================
>--- head/security/vuxml/vuln.xml	Tue Mar 24 21:26:18 2015	(r382176)
>+++ head/security/vuxml/vuln.xml	Tue Mar 24 21:32:04 2015	(r382177)
>@@ -57,6 +57,56 @@ Notes:
>
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>+  <vuln vid="f6a014cd-d268-11e4-8339-001e679db764">
>+    <topic>GNU binutils -- multiple vulnerabilities</topic>
>+    <affects>
>+      <package>
>+	<name>devel/cross-binutils</name>
>+	<range><lt>2.25</lt></range>
>+      </package>
>+      <package>
>+	<name>devel/mingw64-binutils</name>
>+	<range><lt>2.25</lt></range>
>+      </package>
>+    </affects>
>+    <description>
>+      <body xmlns="http://www.w3.org/1999/xhtml">
>+	<p>US-CERT/NIST reports:</p>
>+	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8501">
>+	  <p>The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU
>+	  binutils 2.24 and earlier allows remote attackers to cause a
>+	  denial of service (out-of-bounds write) and possibly have other
>+	  unspecified impact via a crafted NumberOfRvaAndSizes field in the
>+	  AOUT header in a PE executable.</p>
>+	</blockquote>
>+	<p>US-CERT/NIST reports:</p>
>+	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8502">
>+	  <p>Heap-based buffer overflow in the pe_print_edata function in
>+	  bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote
>+	  attackers to cause a denial of service (crash) and possibly have
>+	  other unspecified impact via a truncated export table in a PE
>+	  file.</p>
>+	</blockquote>
>+	<p>US-CERT/NIST reports:</p>
>+	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8503">
>+	  <p>Stack-based buffer overflow in the ihex_scan function in
>+	  bfd/ihex.c in GNU binutils 2.24 and earlier allows remote
>+	  attackers to cause a denial of service (crash) and possibly have
>+	  other unspecified impact via a crafted ihex file.</p>
>+	</blockquote>
>+      </body>
>+    </description>
>+    <references>
>+      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8501</url>
>+      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8502</url>
>+      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8503</url>
>+    </references>
>+    <dates>
>+      <discovery>2014-12-09</discovery>
>+      <entry>2015-03-24</entry>
>+    </dates>
>+  </vuln>
>+
>   <vuln vid="996bce94-d23d-11e4-9463-9cb654ea3e1c">
>     <topic>libuv -- incorrect revocation order while relinquishing privileges</topic>
>     <affects>
>

-- 
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228  EDC6 1EF8 BA6B D028 46D7