Date: Fri, 20 Jun 2003 18:44:59 +0900 (JST) From: Hideyuki KURASHINA <rushani@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: DougB@FreeBSD.org Subject: ports/53546: Update port: graphics/xpdf (includes security fix) Message-ID: <20030620.184459.35472975.rushani@FreeBSD.org> Resent-Message-ID: <200306200950.h5K9oIbD097974@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 53546 >Category: ports >Synopsis: Update port: graphics/xpdf (includes security fix) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jun 20 02:50:17 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Hideyuki KURASHINA >Release: FreeBSD 4.8-STABLE i386 >Organization: >Environment: System: FreeBSD ***.*******.jp 4.8-STABLE FreeBSD 4.8-STABLE #1: Tue Jun 17 21:39:02 JST 2003 >Description: Similar to ports/53479, xpdf before 2.02pl1 contains a vulnerability that is possible to construct a malicious URL link in a PDF file which causes an arbitrary command to be run. From xpdf 2.02pl1, allowable characters to be used in URL strings are based more strict policy. In former releases, xpdf does filtering single quotation marks (') and double-quotation marks ("), but not back-quotation marks (`). See following references for details. Xpdf, Current version http://www.foolabs.com/xpdf/download.html [Full-Disclosure] -10Day CERT Advisory on PDF Files http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html Xpdf Information for VU#200132 http://www.kb.cert.org/vuls/id/IAFY-5MQRU8 >How-To-Repeat: N/A (I couldn't reproduce this vulnerability). >Fix: Update xpdf port as follows; Index: Makefile =================================================================== RCS file: /home/ncvs/ports/graphics/xpdf/Makefile,v retrieving revision 1.49 diff -u -r1.49 Makefile --- Makefile 7 Apr 2003 00:43:45 -0000 1.49 +++ Makefile 20 Jun 2003 08:05:45 -0000 @@ -6,7 +6,7 @@ # PORTNAME= xpdf -PORTVERSION= 2.02 +PORTVERSION= 2.02pl1 CATEGORIES= graphics print MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/ \ ${MASTER_SITE_TEX_CTAN} Index: distinfo =================================================================== RCS file: /home/ncvs/ports/graphics/xpdf/distinfo,v retrieving revision 1.20 diff -u -r1.20 distinfo --- distinfo 7 Apr 2003 00:43:45 -0000 1.20 +++ distinfo 20 Jun 2003 08:06:15 -0000 @@ -1 +1 @@ -MD5 (xpdf-2.02.tar.gz) = fb54402d98fb834e5778163cfc238b44 +MD5 (xpdf-2.02pl1.tar.gz) = e2932bb0f844d8318c940350c2aa2eb6 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030620.184459.35472975.rushani>