Bug 209404 - security/vuxml CVE-2016-1541 archive/libarchive entry version incorrect 2.3 should be 3.2
Summary: security/vuxml CVE-2016-1541 archive/libarchive entry version incorrect 2.3 s...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-09 20:25 UTC by Derek Schrock
Modified: 2016-05-10 00:24 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Derek Schrock 2016-05-09 20:25:06 UTC 
Based off the following commit:

http://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=414860&r2=414889

The latest archivers/libarchive vuxml entry (CVE-2016-1541) was fixed in 3.2 not 2.3.

Appears there was confusion with the latest commit:

http://svnweb.freebsd.org/ports/head/archivers/libarchive/distinfo?view=log

"Upgrading to 2.3"
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-05-10 00:23:09 UTC 
A commit references this bug:

Author: junovitch
Date: Tue May 10 00:22:28 UTC 2016
New revision: 414896
URL: https://svnweb.freebsd.org/changeset/ports/414896

Log:
  Fix version range for libarchive entry. [1]

  While here, add CVE and wrap lines at <80

  PR:		209404 [1]
  Reported by:	dereks@lifeofadishwasher.com [1]
  Security:	CVE-2016-1541
  Security:	https://vuxml.FreeBSD.org/freebsd/2b4c8e1f-1609-11e6-b55e-b499baebfeaf.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2016-05-10 00:24:47 UTC 
Thanks for the report.  The commit message for both the VuXML and actual port update were incorrect.  The distinfo and VuXML test reflected 3.2.0 which is the correct version where the issue is fixed.