Eitan Adler alerted me to two flaws that are present in the version of the 'mail' gem currently in ports. These are both fixed in the current (2.4.4) version. Please see http://seclists.org/oss-sec/2012/q2/190 for details of the flaws. These will have CVE-2012-2139 and CVE-2012-2140 assigned. The patch in this PR updates the mail gem to 2.4.4 As it stands by the gemspecs there should be some version mismatches with 2.4.4, some pre-existing, some new[1]. That said I've successfully installed on a clean system and run test scripts using - mail/rubygem-actionmailer - mail/rubygem-pony - mail/rubygem-mail to send email, so I'm fairly confident this wont break rails or anything. I have removed the active-support dependency, since this appears to have been removed back in version 2.3.0 [1] By the gemspec mail requires: * i18n >= 0.4.0 * mime-types ~> 1.16 * treetop ~> 1.4.8 Currently ports has: * devel/rubygem-i18n 0.6.0 * misc/rubygem-mime-types 1.17.2 * devel/rubygem-treetop 1.4.10 So mime-types and treetop are currently wrong, but it still appears to work without issues I can see with my limited testing. How-To-Repeat: See http://seclists.org/oss-sec/2012/q2/190 CVE-2012-2139 CVE-2012-2140
Responsible Changed From-To: freebsd-ports-bugs->ruby ruby@ wants this port PRs (via the GNATS Auto Assign Tool)
Responsible Changed From-To: ruby->swills I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=167363 diff -ru vuxml.old/vuln.xml vuxml/vuln.xml --- vuxml.old/vuln.xml 2012-04-29 17:15:49.000000000 +0100 +++ vuxml/vuln.xml 2012-04-29 23:01:18.000000000 +0100 @@ -52,6 +52,31 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="8d57a6bd-9210-11e1-a1f2-bc305bd4126b"> + <topic>Several vulnerabilities found in rubygem-mail</topic> + <affects> + <package> + <name>rubygem-mail</name> + <range><ge>0</ge><lt>2.4.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Mail Gem is susceptible to a file system traversal in file_delivery method and arbitrary command execution when using exim or sendmail from the command line.</p> + </body> + </description> + <references> + <freebsdpr>ports/167363</freebsdpr> + <cvename>CVE-2012-2139</cvename> + <cvename>CVE-2012-2140</cvename> + <mlist>http://seclists.org/oss-sec/2012/q2/190</mlist> + </references> + <dates> + <discovery>2012-03-14</discovery> + <entry>2012-04-29</entry> + </dates> + </vuln> + <vuln vid="5d85976a-9011-11e1-b5e0-000c299b62e1"> <topic>net-snmp -- Remote DoS</topic> <affects>
----- Forwarded message from Eric <freebsdports@chillibear.com> ----- Date: Mon, 07 May 2012 13:07:14 +0100 From: Eric <freebsdports@chillibear.com> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/167363: [MAINTAINER] update mail/rubygem-mail to 2.4.4 Attached is a vuXML patch for this security issue that can be applied against the vuln.xml file in security/vuxml Hopefully it's all okay (first time vuxml), the only thing unclear from the porters handbook were the 'lt' tags, where in the examples given they seemed to be a true "less than" in one example and then a "less than or equal to" in another. To clarify in case I have it wrong version 2.4.4 of the Gem _fixes_ the issue, so versions before that have the problem. This vuxml has only been visually verified - I found several steps in section '11.3.3' in the porters handbook didn't seem to work 'out of the box'. _______________________________________________ freebsd-ports-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs To unsubscribe, send any mail to "freebsd-ports-bugs-unsubscribe@freebsd.org" ----- End forwarded message -----
State Changed From-To: open->closed Committed, Thanks! (Got in a hurry and didn't see the vuxml entry that's part of the PR until I'd written one of my own and committed it. It can be tweaked if necessary.)