From owner-freebsd-ports  Thu Oct 17  2:11:21 2002
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 18B8F37B401
	for <ports@freebsd.org>; Thu, 17 Oct 2002 02:11:20 -0700 (PDT)
Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3FB3D43E3B
	for <ports@freebsd.org>; Thu, 17 Oct 2002 02:11:17 -0700 (PDT)
	(envelope-from kheuer@gwdg.de)
Received: from gwdu60.gwdg.de (localhost [127.0.0.1])
	by gwdu60.gwdg.de (8.12.5/8.12.4) with ESMTP id g9H9BDce014571
	for <ports@freebsd.org>; Thu, 17 Oct 2002 11:11:13 +0200 (CEST)
	(envelope-from kheuer@gwdg.de)
Received: from localhost (kheuer@localhost)
	by gwdu60.gwdg.de (8.12.5/8.12.4/Submit) with ESMTP id g9H9BDwF014568
	for <ports@freebsd.org>; Thu, 17 Oct 2002 11:11:13 +0200 (CEST)
X-Authentication-Warning: gwdu60.gwdg.de: kheuer owned process doing -bs
Date: Thu, 17 Oct 2002 11:11:12 +0200 (CEST)
From: Konrad Heuer <kheuer@gwdg.de>
To: ports@freebsd.org
Subject: GV security problem
Message-ID: <20021017110243.U544-100000@gwdu60.gwdg.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org


Maybe you already know about the bug discovered in GV code; otherwise
please look at e.g.: http://online.securityfocus.com/advisories/4563

Short description:

Zen-parse discovered a buffer overflow in gv, a PostScript and PDF
viewer for X11.  This problem is triggered by scanning the PostScript
file and can be exploited by an attacker sending a malformed
PostScript or PDF file.  The attacker is able to cause arbitrary code
to be run with the privileges of the victim.

Do you expect a port update to be available soon? (Same problems holds
true for ghostview afaik.

Regards
K. Heuer (kheuer@gwdg.de)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message