Date: Sat, 3 May 2008 20:53:48 +0200 (CEST) From: Henrik Brix Andersen <brix@lothlorien.brixandersen.dk> To: FreeBSD-gnats-submit@FreeBSD.org Cc: alexbl@FreeBSD.org Subject: ports/123373: [patch] Fix security issue in graphics/swfdec (update to 0.6.6) Message-ID: <20080503185348.6750D1141D@lothlorien.brixandersen.dk> Resent-Message-ID: <200805031900.m43J07cY024764@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 123373 >Category: ports >Synopsis: [patch] Fix security issue in graphics/swfdec (update to 0.6.6) >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat May 03 19:00:06 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Henrik Brix Andersen >Release: FreeBSD 8.0-CURRENT i386 >Organization: >Environment: System: FreeBSD lothlorien.brixandersen.dk 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Fri May 2 13:48:00 CEST 2008 root@lothlorien.brixandersen.dk:/usr/obj/usr/src/sys/LOTHLORIEN-DEBUG i386 >Description: >From http://secunia.com/advisories/29915/ : "A vulnerability has been reported in swfdec, which can be exploited by malicious people to disclose sensitive information. The vulnerability is caused due to swfdec not properly restricting untrusted sandboxes from reading local files, which can be exploited to disclose the content of arbitrary local files by e.g. tricking a user into visiting a malicious website. The vulnerability is reported in versions prior to 0.6.4." The files/patch-swfdec-gtk_swfdec_gtk_system.c patch is not needed with this release. >How-To-Repeat: >Fix: The patch below updates graphics/swfdec to version 0.6.6. It also fixes a problem with inclusion of bsd.port.*.mk (.pre.mk must be included prior to testing OPTIONS). --- swfdec.diff begins here --- Index: Makefile =================================================================== RCS file: /home/pcvs/ports/graphics/swfdec/Makefile,v retrieving revision 1.52 diff -u -p -r1.52 Makefile --- Makefile 24 Mar 2008 03:49:48 -0000 1.52 +++ Makefile 3 May 2008 12:14:16 -0000 @@ -7,8 +7,7 @@ # PORTNAME= swfdec -PORTVERSION= 0.6.0 -PORTREVISION= 1 +PORTVERSION= 0.6.6 CATEGORIES= graphics MASTER_SITES= http://swfdec.freedesktop.org/download/swfdec/0.6/ @@ -31,6 +30,8 @@ OPTIONS= GSTREAMER "Support for decoding PLIST_SUB= VERSION=${PORTVERSION:R} +.include <bsd.port.pre.mk> + .if defined(WITH_GSTREAMER) USE_GSTREAMER= yes .else @@ -41,4 +42,5 @@ CONFIGURE_ARGS+= --disable-gstreamer --e post-patch: @${REINPLACE_CMD} -e 's|SWFDEC_LIBVERSION="0:0:0"|SWFDEC_LIBVERSION="1:0:0"|' ${WRKSRC}/configure.ac -.include <bsd.port.mk> + +.include <bsd.port.post.mk> Index: distinfo =================================================================== RCS file: /home/pcvs/ports/graphics/swfdec/distinfo,v retrieving revision 1.18 diff -u -p -r1.18 distinfo --- distinfo 24 Mar 2008 03:49:48 -0000 1.18 +++ distinfo 3 May 2008 12:14:16 -0000 @@ -1,3 +1,3 @@ -MD5 (swfdec-0.6.0.tar.gz) = c012a5e6dd23558b86d2e08e2e43857b -SHA256 (swfdec-0.6.0.tar.gz) = bd7c9068ce545ef75f8820b94f6b0954194ca5b106a53463bf9a6ed448fa057f -SIZE (swfdec-0.6.0.tar.gz) = 8762575 +MD5 (swfdec-0.6.6.tar.gz) = 3e91d48e0b8b839e12ff8f9ced4b5040 +SHA256 (swfdec-0.6.6.tar.gz) = 46d95b19f6a855ee95671928f1d23cd3991a151131a13fa89d2c388ad20e4a82 +SIZE (swfdec-0.6.6.tar.gz) = 8773316 Index: files/patch-swfdec-gtk_swfdec_gtk_system.c =================================================================== RCS file: files/patch-swfdec-gtk_swfdec_gtk_system.c diff -N files/patch-swfdec-gtk_swfdec_gtk_system.c --- files/patch-swfdec-gtk_swfdec_gtk_system.c 24 Mar 2008 03:49:49 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ ---- swfdec-gtk/swfdec_gtk_system.c.orig 2008-02-22 15:38:09.000000000 -0500 -+++ swfdec-gtk/swfdec_gtk_system.c 2008-02-22 15:38:13.000000000 -0500 -@@ -114,8 +114,12 @@ swfdec_gtk_system_get_language (void) - static int - swfdec_gtk_system_get_utc_offset (void) - { -+ struct tm *t; -+ time_t tt; - tzset (); -- return timezone / 60; -+ tt = time (NULL); -+ t = localtime (&tt); -+ return t->tm_gmtoff / 60; - } - - /*** PUBLIC API ***/ --- swfdec.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080503185348.6750D1141D>