Date: Fri, 04 Oct 2019 20:06:57 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 241066] graphics/xpdf3: Backport fix for CVE-2019-16927 and CVE-2019-9877 Message-ID: <bug-241066-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D241066 Bug ID: 241066 Summary: graphics/xpdf3: Backport fix for CVE-2019-16927 and CVE-2019-9877 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: cy@FreeBSD.org Reporter: naddy@FreeBSD.org Flags: maintainer-feedback?(cy@FreeBSD.org) Assignee: cy@FreeBSD.org Created attachment 208100 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D208100&action= =3Dedit Fix for CVE-2019-16927, CVE-2019-9877; update WWW and master sites Xpdf release 4.02 has fixed the serious vulnerability CVE-2019-16927 (out-of-bounds write). I have extracted the relevant change from the diff between 4.01.01 and 4.02= and backported it to 3.04. See the patch to TextOutputDev.cc in the attached di= ff. Release 4.01.01 contained a different stopgap fix for CVE-2019-9877, a clos= ely related out-of-bounds write. It turns out that the fix for CVE-2019-16927 = will also protect against CVE-2019-9877. https://nvd.nist.gov/vuln/search/results?form_type=3DBasic&results_type=3Do= verview&query=3DCVE-2019-9877&search_type=3Dall https://forum.xpdfreader.com/viewtopic.php?f=3D3&t=3D41885 https://forum.xpdfreader.com/viewtopic.php?f=3D3&t=3D41265 While here, I suggest to also update the WWW URL and the dead master sites. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-241066-7788>