Date: Thu, 19 Nov 2015 22:33:55 -0500 From: Jason Unovitch <junovitch@FreeBSD.org> To: Dirk Meyer <dinoex@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r401780 - head/print/a2ps/files Message-ID: <20151120033355.GA28758@Silverstone.nc-us.unovitch.com> In-Reply-To: <201511161838.tAGIcv4W085038@repo.freebsd.org> References: <201511161838.tAGIcv4W085038@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Nov 16, 2015 at 06:38:57PM +0000, Dirk Meyer wrote: > Author: dinoex > Date: Mon Nov 16 18:38:56 2015 > New Revision: 401780 > URL: https://svnweb.freebsd.org/changeset/ports/401780 > > Log: > - fix for malicious crafted a2ps prologue files > Security: CVE-2015-8107 > Security: http://www.openwall.com/lists/oss-security/2015/11/16/4 > Submitted by: feld > Obtained from: http://www.openwall.com/ > > Added: > head/print/a2ps/files/patch-output.c (contents, props changed) > > Added: head/print/a2ps/files/patch-output.c > ============================================================================== > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/print/a2ps/files/patch-output.c Mon Nov 16 18:38:56 2015 (r401780) > @@ -0,0 +1,13 @@ > +Fix for CVE-2015-8107 > +http://www.openwall.com/lists/oss-security/2015/11/16/4 > +--- lib/output.c.orig 2015-11-16 15:29:38 UTC > ++++ lib/output.c > +@@ -525,7 +525,7 @@ output_file (struct output * out, a2ps_j > + expand_user_string (job, FIRST_FILE (job), > + (const uchar *) "Expand: requirement", > + (const uchar *) token)); > +- output (dest, expansion); > ++ output (dest, "%s", expansion); > + continue; > + } > + > Dirk, Hi there. this resolves the issue but without a PORTREVISION bump there's no way for an end user to know if the issue has actually been fixed or not. Can you bump PORTREVISION? (Note this also looks like it needs MFH, likely with r398049 and r401844 given the nature of both commmits) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAEBCgBmBQJWTpScXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NURGNTQ1OTkzQkJFMzc3OTNDQUNERUU2 RkQ0OUMzMDE2MUNBQTZFAAoJEG/UnDAWHKpuDt4H/2UhLBF7KtYCuDPD273Zf6NO AywfX1OzpcT9JxNzljHFbGwVMD+HE/sFAlOCWvf/2GZd0WD0ztIxns8hdLXg77x0 IQJrV7a4G1QWQ8ROHmIZl/sCDFE61RmRamEp1H7zZbtCvUwq/a4BR8kyIPm48ge5 SgjfFvRRX7yN8mm2nVgX0Veo6OAk2lTcmB1yMrIjjjRPcNcplGKDgq355DYdC/MY ENlpUe93FOlXIYWMutBPl6p4XQU8ZC9S2IfPfx2ZFokxjPzTN2XhxWoogm/tqj5r VszIx1VNnJSRda0PsOEuTuwIat/xGeQzV4sPhPyRoFXMBLwbhtGr9QITpQ3Q9pI= =fFQ9 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151120033355.GA28758>