Bug 200196

Summary: [security] graphics/dcraw - CVE-2015-3885
Product: Ports & Packages Reporter: Sevan Janiyan <venture37>
Component: Individual Port(s)Assignee: Po-Chuan Hsieh <sunpoet>
Status: Closed FIXED    
Severity: Affects Only Me CC: junovitch
Priority: --- Flags: bugzilla: maintainer-feedback? (sunpoet)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
security/vuxml documentation for dcraw none

Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-05-28 22:30:16 UTC 
Created attachment 157234 [details]
security/vuxml documentation for dcraw

sunpoet@,

If Dcraw 9.26 on upstream's site contains the fix, a tentative patch is attached for the security/vuxml update when Dcraw gets updated.  This combines it with the existing entry for CVE-2015-3885 in a similar manner to what was done on the VENOM vulnerability earlier.  Validation steps are shown below and with the exception of the modified date requiring an update when the patch gets applied this should be good to go.

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit dcraw-7.00
dcraw-7.00 is vulnerable:
dcraw and ufraw -- integer overflow condition
WWW: http://vuxml.FreeBSD.org/freebsd/57325ecf-facc-11e4-968f-b888e347c638.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit dcraw-9.25
dcraw-9.25 is vulnerable:
dcraw and ufraw -- integer overflow condition
WWW: http://vuxml.FreeBSD.org/freebsd/57325ecf-facc-11e4-968f-b888e347c638.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit dcraw-9.26
0 problem(s) in the installed packages found.
Comment 2 commit-hook freebsd_committer freebsd_triage 2015-06-06 18:22:01 UTC 
A commit references this bug:

Author: sunpoet
Date: Sat Jun  6 18:21:18 UTC 2015
New revision: 388679
URL: https://svnweb.freebsd.org/changeset/ports/388679

Log:
  - Update VuXML

  PR:		200196
  Submitted by:	Jason Unovitch <jason.unovitch@gmail.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Po-Chuan Hsieh freebsd_committer freebsd_triage 2015-06-06 18:22:28 UTC 
Committed. Thanks!