http://www.ocert.org/advisories/ocert-2015-006.html
Created attachment 157234 [details] security/vuxml documentation for dcraw sunpoet@, If Dcraw 9.26 on upstream's site contains the fix, a tentative patch is attached for the security/vuxml update when Dcraw gets updated. This combines it with the existing entry for CVE-2015-3885 in a similar manner to what was done on the VENOM vulnerability earlier. Validation steps are shown below and with the exception of the modified date requiring an update when the patch gets applied this should be good to go. # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit dcraw-7.00 dcraw-7.00 is vulnerable: dcraw and ufraw -- integer overflow condition WWW: http://vuxml.FreeBSD.org/freebsd/57325ecf-facc-11e4-968f-b888e347c638.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit dcraw-9.25 dcraw-9.25 is vulnerable: dcraw and ufraw -- integer overflow condition WWW: http://vuxml.FreeBSD.org/freebsd/57325ecf-facc-11e4-968f-b888e347c638.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit dcraw-9.26 0 problem(s) in the installed packages found.
A commit references this bug: Author: sunpoet Date: Sat Jun 6 18:21:18 UTC 2015 New revision: 388679 URL: https://svnweb.freebsd.org/changeset/ports/388679 Log: - Update VuXML PR: 200196 Submitted by: Jason Unovitch <jason.unovitch@gmail.com> Changes: head/security/vuxml/vuln.xml
Committed. Thanks!