realvnc.com released a new version (in Oct), but the fetch doesn't know the difference and, despite the port unsuspectingly fetching the latest 4.1.3 version, forces the output filename to vnc-4_1_2-unixsrc.tar.gz with -o... /usr/bin/fetch -ApRr -o vnc-4_1_3-unixsrc.tar.gz 'http://www.realvnc.com/cgi-bin/download.cgi?product=free4/src/unix&acceptLicense=1&haveDetails=1&filetype=tar_gz' Adding '&filever=4.1.2' to the cgi download url would work around this since the 4.1.2 tarball is still available, but we should update to 4.1.3. Only one code change: to bounds check bounds on a decoders array index before dereferencing in vnc-4_1_3-unixsrc/common/rfb/CMsgReader.cxx ... + if (encoding > encodingMax) + throw Exception("Unknown rect encoding"); Other than that, there were some minor 'configure' changes (for instance, to support solaris better it seems) and some changes to .vcproj (visual studio c ide project files). For us, the only change should be the one instance of better bounds checking shown above. There is a reported vulnerability for 4.1.2 fixed by the change shown above - supposedly a remote code execution vulnerability... http://www.net-security.org/vuln.php?id=6135 Fix: Update to the latest release 4.1.3 and add 'filever' to fetch instruction so the inadvertent broken checksum doesn't happen again.
Responsible Changed From-To: freebsd-ports-bugs->wxs I'll take it as I'm hoping to handle all the net/vnc PRs in the upcoming weeks.
wxs 2008-12-27 03:08:15 UTC FreeBSD ports repository Modified files: net/vnc Makefile distinfo Log: - Update to 4.1.3 - This is still buggy on AMD64, I'm working on a fix. PR: ports/128510, ports/128515, ports/129289, ports/129894 Submitted by: Lots of people Revision Changes Path 1.62 +3 -6 ports/net/vnc/Makefile 1.20 +3 -3 ports/net/vnc/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Updated to 4.1.3