Bug 206590

Summary: security/vuxml: Add entry for devel/gdcm - CVE-2015-8397 & CVE-2015-8396
Product: Ports & Packages Reporter: Sevan Janiyan <venture37>
Component: Individual Port(s)Assignee: Jason Unovitch <junovitch>
Status: Closed FIXED    
Severity: Affects Only Me CC: junovitch, ports-secteam
Priority: --- Keywords: needs-patch, needs-qa, security
Version: LatestFlags: junovitch: merge-quarterly-
Hardware: Any   
OS: Any   
Bug Depends on: 203479    
Bug Blocks:    

Description Sevan Janiyan 2016-01-25 02:06:38 UTC
"GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an out-of-bounds read vulnerability due to missing checks" May not apply to the version currently in ports, however, there's Bug 203479 which brings the port up to date.
http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/
Comment 1 Sevan Janiyan 2016-01-25 02:10:17 UTC
CVE-2015-8397, CVE-2015-8396
http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/
Comment 2 commit-hook freebsd_committer 2016-02-01 02:43:24 UTC
A commit references this bug:

Author: junovitch
Date: Mon Feb  1 02:42:40 UTC 2016
New revision: 407678
URL: https://svnweb.freebsd.org/changeset/ports/407678

Log:
  Document multiple vulnerabilities in gdcm

  PR:		206590
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Security:	CVE-2015-8396
  Security:	CVE-2015-8397
  Security:	https://vuxml.FreeBSD.org/freebsd/e00d8b94-c88a-11e5-b5fe-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Jason Unovitch freebsd_committer 2016-02-01 11:42:39 UTC
Marked closed/fixed.  Setting merge-quarterly- as VuXML MFH doesn't apply and all the original effort in bug 203479 cover the actual fix.