See [1] and [2]. Fix: The following diff adds the patch from Thomas Hoger that was accepted to the PHP 5.x. The patch was whitespace-modified for the graphics/gd. I had verified that all three ports build fine and graphics/gd works as expected in respect to the image conversion (GD -> PNG -> GD) and graphics creation. How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 [2] http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html
Responsible Changed From-To: freebsd-ports-bugs->dinoex Over to maintainer (via the GNATS Auto Assign Tool)
dinoex 2009-11-06 21:37:16 UTC FreeBSD ports repository Modified files: graphics/gd Makefile Added files: graphics/gd/files patch-cve-2009-3546 Log: - Security patch Security: CVE-2009-3546 Security: http://portaudit.freebsd.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html PR: 140335 Submitted by: Eygene Ryabinkin Obtained from: PHP project Revision Changes Path 1.92 +1 -1 ports/graphics/gd/Makefile 1.1 +15 -0 ports/graphics/gd/files/patch-cve-2009-3546 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Responsible Changed From-To: dinoex->ale pver to maintainer of */php*
Following Dirk Meyer's commit to graphics/gd the Vulnerabilities Database entry needs updating since it says all versions of graphics/gd are vulnerable, even the fixed version. (I am not familiar with the syntax used and so I am unable to suggest what is required.) Cheers, Nick. --
Sun, Nov 08, 2009 at 09:05:17AM +0000, N.J. Mann wrote: > Following Dirk Meyer's commit to graphics/gd the Vulnerabilities > Database entry needs updating since it says all versions of graphics/gd > are vulnerable, even the fixed version. > > (I am not familiar with the syntax used and so I am unable to suggest > what is required.) The patch for the security/vuxml/vuln.xml is inside the suggested patchset that was submitted with this PR. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
portaudit -F portupgrade -a or portmaster -a will fix that issue. -- Chris Petrik Consulting: http://www.officialunix.com BSD Site: http://www.bsdjunk.com FreeBSD ports contributor Since 18-July-2009
graphics/gd and graphics/php5-gb have been patched. http://portaudit.freebsd.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html says that php4-gd >0 is affected. this implies that the patch provided by Eygene Ryabinkin won't be included in graphics/php4-gd, but instead the port will remain to be marked as vulnerable. the last php4 release was in Aug of 2008. it's unlikely a php4 release fixing CVE-2009-3546 will happen. please set this pr either into suspend state or close it. cheers. alex
State Changed From-To: open->closed Close since it has been patched.