Date: Thu, 20 Nov 2008 00:29:40 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 Message-ID: <20081119212940.A0D98F181F@phoenix.codelabs.ru> Resent-Message-ID: <200811192130.mAJLUEvP085426@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 128999 >Category: ports >Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 19 21:30:14 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Streamripper 1.64.0 is out and this release fixes security vulnerability discovered by Secunia. >How-To-Repeat: http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/CHANGES?revision=1.196 http://secunia.com/secunia_research/2008-50/ >Fix: The following patch updates the port to 1.64.0. It works for me: MP3 streams are ripped perfectly. --- 1.63.5-to-1.64.0-fix-cve-2008-4829.diff begins here --- diff -urN ./Makefile ../streamripper/Makefile --- ./Makefile 2008-11-19 23:50:33.000000000 +0300 +++ ../streamripper/Makefile 2008-11-19 23:57:00.000000000 +0300 @@ -6,7 +6,7 @@ # PORTNAME= streamripper -PORTVERSION= 1.63.5 +PORTVERSION= 1.64.0 CATEGORIES= audio MASTER_SITES= SF \ http://gd.tuwien.ac.at/hci/cdk/:cdk diff -urN ./distinfo ../streamripper/distinfo --- ./distinfo 2008-11-19 23:50:33.000000000 +0300 +++ ../streamripper/distinfo 2008-11-19 23:57:19.000000000 +0300 @@ -1,6 +1,6 @@ -MD5 (streamripper-1.63.5.tar.gz) = 73a63383dca00615c3328cf51bf2fa56 -SHA256 (streamripper-1.63.5.tar.gz) = 877aed28880b904383c4e761c0ecb1e046dbe45126e648110c0292991d1e5b93 -SIZE (streamripper-1.63.5.tar.gz) = 1302177 +MD5 (streamripper-1.64.0.tar.gz) = f8754813ddc2bc96c4c3440e25aca8b6 +SHA256 (streamripper-1.64.0.tar.gz) = a53f50d26de3610e59a07eaf81cc9da348aaf7b35bc4a302f2e5f6defb1297ae +SIZE (streamripper-1.64.0.tar.gz) = 839535 MD5 (cdk-5.0-20060507.tgz) = 0ec2460a4484d5f5595d8faca61bc9c5 SHA256 (cdk-5.0-20060507.tgz) = e823bfcce52916727cb23d6d549a64347c45c364b3c628d6a352c407fce8f4b4 SIZE (cdk-5.0-20060507.tgz) = 396514 --- 1.63.5-to-1.64.0-fix-cve-2008-4829.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="unknown"> <topic>streamripper -- user-assisted arbitrary code execution</topic> <affects> <package> <name>streamripper</name> <range><lt>1.64.0</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia Research has discovered some vulnerabilities in Streamripper, which can be exploited by malicious people to compromise a user's system:</p> <blockquote cite="http://secunia.com/secunia_research/2008-50/"> <ol> <li>A boundary error exists within http_parse_sc_header() in lib/http.c when parsing an overly long HTTP header starting with “Zwitterion v”.</li> <li>A boundary error exists within http_get_pls() in lib/http.c when parsing a specially crafted pls playlist containing an overly long entry.</li> <li>A boundary error exists within http_get_m3u() in lib/http.c when parsing a specially crafted m3u playlist containing an overly long “File” entry.</li> </ol> <p>Successful exploitation allows execution of arbitrary code, but requires that a user is tricked into connecting to a malicious server.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-4829</cvename> <url>http://secunia.com/secunia_research/2008-50/</url> <url>http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/CHANGES?revision=1.196</url> </references> <dates> <discovery>2008-11-19</discovery> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081119212940.A0D98F181F>