From owner-cvs-all@FreeBSD.ORG  Sun Nov  8 23:34:15 2009
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3A24F1065672;
	Sun,  8 Nov 2009 23:34:15 +0000 (UTC)
	(envelope-from wxs@atarininja.org)
Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.50.215])
	by mx1.freebsd.org (Postfix) with ESMTP id 0F71D8FC12;
	Sun,  8 Nov 2009 23:34:14 +0000 (UTC)
Received: by syn.atarininja.org (Postfix, from userid 1001)
	id 0E6825C3A; Sun,  8 Nov 2009 18:34:14 -0500 (EST)
Date: Sun, 8 Nov 2009 18:34:13 -0500
From: Wesley Shields <wxs@FreeBSD.org>
To: Dirk Meyer <dinoex@FreeBSD.org>, ports-committers@FreeBSD.org,
	cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org
Message-ID: <20091108233413.GA85488@atarininja.org>
References: <200911062137.nA6LbG1U080346@repoman.freebsd.org>
	<20091107085225.GA10184@titania.njm.me.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20091107085225.GA10184@titania.njm.me.uk>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: 
Subject: Re: cvs commit: ports/graphics/gd Makefile ports/graphics/gd/files
 patch-cve-2009-3546
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: **OBSOLETE** CVS commit messages for the entire tree
	<cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Nov 2009 23:34:15 -0000

On Sat, Nov 07, 2009 at 08:52:25AM +0000, N.J. Mann wrote:
> In message <200911062137.nA6LbG1U080346@repoman.freebsd.org>,
> 	Dirk Meyer (dinoex@FreeBSD.org) wrote:
> > dinoex      2009-11-06 21:37:16 UTC
> > 
> >   FreeBSD ports repository
> > 
> >   Modified files:
> >     graphics/gd          Makefile 
> >   Added files:
> >     graphics/gd/files    patch-cve-2009-3546 
> >   Log:
> >   - Security patch
> >   Security: CVE-2009-3546
> >   Security: http://portaudit.freebsd.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html
> >   PR:             140335
> >   Submitted by:   Eygene Ryabinkin
> >   Obtained from:  PHP project
> >   
> >   Revision  Changes    Path
> >   1.92      +1 -1      ports/graphics/gd/Makefile
> >   1.1       +15 -0     ports/graphics/gd/files/patch-cve-2009-3546 (new)
> 
> I think there is something wrong with the vulnerabilities entry for this
> port which stops this update completing.  I just tried updating this
> port from gd-2.0.35_1,1 to gd-2.0.35_2,1 and got:
> 
> 
> ===>  gd-2.0.35_2,1 has known vulnerabilities:
> => gd -- '_gdGetColors' remote buffer overflow vulnerability.
>    Reference: <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>
> => Please update your ports tree and try again.
> *** Error code 1
> 
> Stop in /usr/ports/graphics/gd.
> *** Error code 1
> 
> Stop in /usr/ports/graphics/gd.
> 
> 
> I had a look at the portaudit entry at the URL given.  I am unfamiliar
> with the syntax of these entries, but the 'Affects' entries look
> suspicious to me, e.g. "gd >0'.  Does it need correcting?

Yes, and I have fixed it for graphics/gd. I'm unsure about the status of
the other ports mentioned in the entry so I left them alone.

Thanks!

-- WXS