Created attachment 208100 [details] Fix for CVE-2019-16927, CVE-2019-9877; update WWW and master sites Xpdf release 4.02 has fixed the serious vulnerability CVE-2019-16927 (out-of-bounds write). I have extracted the relevant change from the diff between 4.01.01 and 4.02 and backported it to 3.04. See the patch to TextOutputDev.cc in the attached diff. Release 4.01.01 contained a different stopgap fix for CVE-2019-9877, a closely related out-of-bounds write. It turns out that the fix for CVE-2019-16927 will also protect against CVE-2019-9877. https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=CVE-2019-9877&search_type=all https://forum.xpdfreader.com/viewtopic.php?f=3&t=41885 https://forum.xpdfreader.com/viewtopic.php?f=3&t=41265 While here, I suggest to also update the WWW URL and the dead master sites.
A commit references this bug: Author: cy Date: Fri Oct 4 22:12:37 UTC 2019 New revision: 513784 URL: https://svnweb.freebsd.org/changeset/ports/513784 Log: Update MASTER_SITES removing dead URLs. PR: 241066 Submitted by: naddy Changes: head/graphics/xpdf3/Makefile
A commit references this bug: Author: cy Date: Fri Oct 4 22:12:40 UTC 2019 New revision: 513785 URL: https://svnweb.freebsd.org/changeset/ports/513785 Log: Update WWW. PR: 241066 Submitted by: naddy MFH: 2019Q4 Changes: head/graphics/xpdf3/pkg-descr
A commit references this bug: Author: cy Date: Fri Oct 4 22:12:44 UTC 2019 New revision: 513786 URL: https://svnweb.freebsd.org/changeset/ports/513786 Log: Backport fix for CVE-2019-16927 and CVE-2019-9877 from xpdf4. PR: 241066 Submitted by: naddy MFH: 2019Q4 Changes: head/graphics/xpdf3/Makefile head/graphics/xpdf3/files/patch-xpdf_TextOutputDev.cc
Thank you for the patches.
^Triage: Re-open pending VuXML entries and merge
MFC requests have been sent. I'll try to document the CVEs this week.
A commit references this bug: Author: cy Date: Sun Oct 6 01:48:50 UTC 2019 New revision: 513861 URL: https://svnweb.freebsd.org/changeset/ports/513861 Log: Document two new Xpdf vulnerabilities: CVE-2019-16927 and CVE-2019-9877. PR: 241066 Security: https://nvd.nist.gov/vuln/detail/CVE-2019-16927 Security: https://nvd.nist.gov/vuln/detail/CVE-2019-9877 Security: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9877 Security: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16927 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: cy Date: Sun Oct 6 05:52:59 UTC 2019 New revision: 513870 URL: https://svnweb.freebsd.org/changeset/ports/513870 Log: Take PORTEPOCH into account. PR: 241066 Reported by: tobik Changes: head/security/vuxml/vuln.xml
The "fixed version" VuXML entries for version 3 never match, because the PKG is always named "xpdf" without a number and requires version 4+. Is there a way to fix these?
Do not install xpdf3 with XPDF_VERSION?=3.
A commit references this bug: Author: cy Date: Sat Oct 19 03:08:42 UTC 2019 New revision: 514746 URL: https://svnweb.freebsd.org/changeset/ports/514746 Log: MFH: r513783 r513785 r513786 Pacify stage-qa in DEVELOPER mode. Update WWW. PR: 241066 Submitted by: naddy Backport fix for CVE-2019-16927 and CVE-2019-9877 from xpdf4. PR: 241066 Submitted by: naddy Approved by: portmgr (miwi) Changes: _U branches/2019Q4/ branches/2019Q4/graphics/xpdf3/Makefile branches/2019Q4/graphics/xpdf3/files/patch-xpdf_TextOutputDev.cc branches/2019Q4/graphics/xpdf3/pkg-descr
Fixed.