Maintainer of deskutils/remind, A security issue has been publically reported against this port. References: http://lists.roaringpenguin.com/pipermail/remind-fans/2015/003172.html "* Version 3.1 Patch 15 - 2015-07-27 BUG FIX: Fix a buffer overflow found by Alexander Keller" http://www.openwall.com/lists/oss-security/2015/08/07/1 "> var.c > DumpSysVar > + if (name && strlen(name) > VAR_NAME_LEN) { > + fprintf(ErrFp, "$%s: Name too long\n", name); > + return; Use CVE-2015-5957."
Note that it's not entirely clear what the real world impact is. The Red Hat CVE-2015-5957 tracking bug (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5957) just notes it as an "unspecified buffer overflow flaw" and the actual bug for the update has the upstream reporter recommending the fix but without any substantiation of the impact (https://bugzilla.redhat.com/show_bug.cgi?id=1215295).
Created attachment 161158 [details] deskutils/remind: security update 3.1.13 -> 3.1.15 deskutils/remind: security update 3.1.13 -> 3.1.15 Security: CVE-2015-5957 I contacted Diane to clarify the impact since the material out there wasn't clear on the user visible aspect and got this feedback. I validated this is the case. > No, no in-depth comments. The bug can be manifested in old > versions of Remind by putting something like this in the Reminder file: > > DUMP $aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > > which would cause a buffer overflow because we allocated a fixed-length > buffer for the name of a system variable (that is a special variable > whose name begins with '$') > > In the fixed version, the above command simply produces the result: > > Name too long > > Regards, > > Dianne.
Created attachment 161159 [details] Poudriere testport log from 10.1-RELEASE jail Poudriere was checked on: 9.3-RELEASE-p24 amd64 9.3-RELEASE-p24 i386 10.1-RELEASE-p19 amd64 10.1-RELEASE-p19 i386 10.2-RELEASE-p2 amd64 10.2-RELEASE-p2 i386 11.0-CURRENT r287698 amd64 11.0-CURRENT r287698 arm.armv6 11.0-CURRENT r287698 i386
A commit references this bug: Author: junovitch Date: Fri Sep 18 00:33:01 UTC 2015 New revision: 397208 URL: https://svnweb.freebsd.org/changeset/ports/397208 Log: Document remind buffer overflow with malicious reminder file input PR: 202942 Security: CVE-2015-5957 Changes: head/security/vuxml/vuln.xml
I haven't heard any update from maintainer. Is there an explicit "Approved by: ports-secteam" for this update?
Approved by: ports-secteam (feld) Also for MFH Thanks Jason!
A commit references this bug: Author: junovitch Date: Fri Sep 18 22:55:21 UTC 2015 New revision: 397302 URL: https://svnweb.freebsd.org/changeset/ports/397302 Log: deskutils/remind: security update 3.1.13 -> 3.1.15 PR: 202942 Approved by: ports-secteam (feld) Security: b55ecf12-5d98-11e5-9909-002590263bf5 Security: CVE-2015-5957 MFH: 2015Q3 Changes: head/deskutils/remind/Makefile head/deskutils/remind/distinfo head/deskutils/remind/files/patch-src_md5.c
A commit references this bug: Author: junovitch Date: Fri Sep 18 22:56:32 UTC 2015 New revision: 397303 URL: https://svnweb.freebsd.org/changeset/ports/397303 Log: MFH: r397302 deskutils/remind: security update 3.1.13 -> 3.1.15 PR: 202942 Approved by: ports-secteam (feld) Security: b55ecf12-5d98-11e5-9909-002590263bf5 Security: CVE-2015-5957 Changes: _U branches/2015Q3/ branches/2015Q3/deskutils/remind/Makefile branches/2015Q3/deskutils/remind/distinfo branches/2015Q3/deskutils/remind/files/patch-src_md5.c
Tidy up PR post commit and close it. - Take "assigned to" - Clarify PR title - Set merge-quarterly+ based off positive feedback in comment 6