From owner-freebsd-ports@FreeBSD.ORG  Tue Nov 16 22:44:53 2004
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5218116A4CE; Tue, 16 Nov 2004 22:44:53 +0000 (GMT)
Received: from kirk.hochpass.uni-hannover.de (kirk.hochpass.uni-hannover.de
	[130.75.81.215])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8AD6343D46; Tue, 16 Nov 2004 22:44:52 +0000 (GMT)
	(envelope-from hilko.meyer@gmx.de)
Received: from mclaine.hochpass.uni-hannover.de
	(mclaine.hochpass.uni-hannover.de [130.75.81.213])iAGMioig092514;
	Tue, 16 Nov 2004 23:44:50 +0100 (CET)
	(envelope-from hilko.meyer@gmx.de)
From: Hilko Meyer <hilko.meyer@gmx.de>
To: josef@FreeBSD.org
Date: Tue, 16 Nov 2004 23:44:50 +0100
Message-ID: <8uvkp0t1u3h86hl2hjniukcl0b6rvf0ki0@4ax.com>
X-Mailer: Forte Agent 1.93/32.576 English (American)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
cc: ports@FreeBSD.org
cc: security@FreeBSD.org
Subject: Re: Problem with cups/xpdf
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Nov 2004 22:44:53 -0000

Josef El-Rayes wrote
>Josef El-Rayes <josef at freebsd.org>:
>> Michael Nottebrock <michaelnottebrock at gmx.net>:
>> > > I am trying to upgrade my cups-port with an up-to-date ports-tree.=
 It fails
>> > > because of the xpdf-vulnurability. But my xpdf-port is the most =
recent one
>> > > and I think that the vulnurability was handelt in this version (if=
 I can
>> > > believ the cvs-comment).
>> > >
>> > > =3D=3D=3D>  cups-base-1.1.22.0 has known vulnerabilities:
>> > > >> xpdf -- integer overflow vulnerabilities.
>> > >
>> > >    Reference:
>> > > =
<http://www.FreeBSD.org/ports/portaudit/ad2f3337-26bf-11d9-9289-000c41e2c=
da
>> > >d .html>
>> >=20
>> > The vuxml entry is wrong, vid ad2f3337-26bf-11d9-9289-000c41e2cdad =
has=20
>> > <range><ge>0</ge></range> but needs <range><lt>1.1.21</lt></range>.
>> >=20
>>=20
>> Yes, you are absolutely right, I will correct the wrong range(s).
>
>Okay I was a bit too fast, where did you find that the cups people fixed
>this issue in their new release?

Look at http://www.cups.org/relnotes.php
I think, that's this one:
| Changes in CUPS v1.1.22rc2:
| The pdftops filter didn't check the range of all integer attributes =
(STR #972)

STR #972 links to
http://www.cups.org/str.php?L972
| Michael Sweet
| 14:10 Oct 20, 2004	The Xpdf-based pdftops filter has a range checking =
bug which could cause buffer overflows and/or denial-of-service problems.

Hilko