Date: Sun, 18 Aug 2013 18:51:44 GMT From: Derek Schrock <dereks@lifeofadishwasher.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/181384: /var/db/pkg/auditfile has a type for lcms2 Message-ID: <201308181851.r7IIpihV095745@oldred.freebsd.org> Resent-Message-ID: <201308181900.r7IJ00gQ091112@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 181384 >Category: misc >Synopsis: /var/db/pkg/auditfile has a type for lcms2 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Aug 18 19:00:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Derek Schrock >Release: FreeBSD 9.1-RELEASE-p5 >Organization: >Environment: >Description: /var/db/pkg/auditfile has a typo for lcms2 $ grep ^lcms2 /var/db/pkg/auditfile lcms2>0|http://portaudit.FreeBSD.org/9a0a892e-05d8-11e3-ba09-000c29784fd1.html|lcms2 -- Null Pointer Dereference Denial of Service Vulnerability Unless I'm reading the bug incorrectly teh CVE was fixed in 2.5: https://bugs.mageia.org/show_bug.cgi?id=10816 graphics/lcms2 is lcms 2.5 >How-To-Repeat: Building from port fails: $ sudo make -C /usr/ports/graphics/lcms2/ ===> lcms2-2.5 has known vulnerabilities: lcms2-2.5 is vulnerable: lcms2 -- Null Pointer Dereference Denial of Service Vulnerability WWW: http://portaudit.FreeBSD.org/9a0a892e-05d8-11e3-ba09-000c29784fd1.html => Please update your ports tree and try again. *** [check-vulnerable] Error code 1 Stop in /usr/ports/graphics/lcms2. *** [build] Error code 1 Stop in /usr/ports/graphics/lcms2. >Fix: Change /var/db/pkg/auditfile lcms2 entry to <2.5: lcms2<2.5|http://portaudit.FreeBSD.org/9a0a892e-05d8-11e3-ba09-000c29784fd1.html|lcms2 -- Null Pointer Dereference Denial of Service Vulnerability >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201308181851.r7IIpihV095745>