Bug 206590 - security/vuxml: Add entry for devel/gdcm - CVE-2015-8397 & CVE-2015-8396
Summary: security/vuxml: Add entry for devel/gdcm - CVE-2015-8397 & CVE-2015-8396
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jason Unovitch
URL:
Keywords: needs-patch, needs-qa, security
Depends on: 203479
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-25 02:06 UTC by Sevan Janiyan
Modified: 2016-02-01 11:42 UTC (History)
2 users (show)

See Also:
junovitch: merge-quarterly-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2016-01-25 02:06:38 UTC
"GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an out-of-bounds read vulnerability due to missing checks" May not apply to the version currently in ports, however, there's Bug 203479 which brings the port up to date.
http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/
Comment 1 Sevan Janiyan 2016-01-25 02:10:17 UTC
CVE-2015-8397, CVE-2015-8396
http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/
Comment 2 commit-hook freebsd_committer 2016-02-01 02:43:24 UTC
A commit references this bug:

Author: junovitch
Date: Mon Feb  1 02:42:40 UTC 2016
New revision: 407678
URL: https://svnweb.freebsd.org/changeset/ports/407678

Log:
  Document multiple vulnerabilities in gdcm

  PR:		206590
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Security:	CVE-2015-8396
  Security:	CVE-2015-8397
  Security:	https://vuxml.FreeBSD.org/freebsd/e00d8b94-c88a-11e5-b5fe-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Jason Unovitch freebsd_committer 2016-02-01 11:42:39 UTC
Marked closed/fixed.  Setting merge-quarterly- as VuXML MFH doesn't apply and all the original effort in bug 203479 cover the actual fix.