From owner-freebsd-security@FreeBSD.ORG Wed Jul 3 03:19:21 2013 Return-Path: Delivered-To: FreeBSD-Security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 1D9857D8 for ; Wed, 3 Jul 2013 03:19:21 +0000 (UTC) (envelope-from zi@FreeBSD.org) Received: from exodus.zi0r.com (exodus.zi0r.com [71.245.171.203]) by mx1.freebsd.org (Postfix) with ESMTP id EA3B3188C for ; Wed, 3 Jul 2013 03:19:20 +0000 (UTC) Received: from exodus.zi0r.com (localhost [127.0.0.1]) by exodus.zi0r.com (Postfix) with ESMTP id 7F9E83A097; Tue, 2 Jul 2013 23:19:14 -0400 (EDT) X-Virus-Scanned: amavisd-new at zi0r.com Received: from exodus.zi0r.com ([127.0.0.1]) by exodus.zi0r.com (exodus.zi0r.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id UjKZEiU93z-J; Tue, 2 Jul 2013 23:19:12 -0400 (EDT) Received: from exodus.zi0r.com (syn.zi0r.com [71.245.171.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by exodus.zi0r.com (Postfix) with ESMTPSA id 9B58A3A094; Tue, 2 Jul 2013 23:19:12 -0400 (EDT) Date: Tue, 2 Jul 2013 23:19:11 -0400 From: Ryan Steinmetz To: krichy@tvnetwork.hu Subject: Re: curl and CVE-2013-2174 Message-ID: <20130703031910.GA61102@exodus.zi0r.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: FreeBSD-Security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 03:19:21 -0000 On (07/03/13 05:01), krichy@tvnetwork.hu wrote: >Dear members, > >It may sound a silly question. I have curl installed: ># pkg_info |grep curl >curl-7.24.0_3 Non-interactive tool to get files from FTP, GOPHER, HTTP(S) > >Today portsnap updated the ftp/curl port, and patch-CVE-2013-2174 appeared >in files/, but the port version remained such that portaudit, and >portupgrade still complain about curl's version. What is the recommended >way to upgrade the package? Run: portaudit -Fda Then try your upgrade again. -r > ># portupgrade curl-7.24.0_3 >---> Upgrading 'curl-7.24.0_3' to 'curl-7.24.0_4' (ftp/curl) >---> Building '/usr/ports/ftp/curl' >===> Cleaning for curl-7.24.0_4 >===> curl-7.24.0_4 has known vulnerabilities: >Affected package: curl-7.24.0_4 >Type of problem: cURL library -- heap corruption in curl_easy_unescape. >Reference: >http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html >=> Please update your ports tree and try again. >*** [check-vulnerable] Error code 1 > >Stop in /usr/ports/ftp/curl. >*** [build] Error code 1 > >Stop in /usr/ports/ftp/curl. >** Command failed [exit code 1]: /usr/bin/script -qa >/tmp/portupgrade20130702-47232-1m2otkk env UPGRADE_TOOL=portupgrade >UPGRADE_PORT=curl-7.24.0_3 UPGRADE_PORT_VER=7.24.0_3 make >** Fix the problem and try again. >** Listing the failed packages (-:ignored / *:skipped / !:failed) > ! ftp/curl (curl-7.24.0_3) (unknown build error) > >Thanks in advance, > > >Kojedzinszky Richard >Euronet Magyarorszag Informatikai Zrt. >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Ryan Steinmetz PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2