pkgsrc-bugs: pkg/32822: CUPS: vulnerable or not?

Subject: pkg/32822: CUPS: vulnerable or not?
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <anne@porcupine.montreal.qc.ca>
List: pkgsrc-bugs
Date: 02/13/2006 19:45:00

>Number:         32822
>Category:       pkg
>Synopsis:       CUPS vulnerability info is inconsistent
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          support
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 13 19:45:00 +0000 2006
>Originator:     Anne Bennett
>Release:        NetBSD 3.0
>Environment:
System: NetBSD quill.porcupine.montreal.qc.ca 3.0 NetBSD 3.0 (QUILL_AMD64) #4: Mon Jan 2 17:33:19 EST 2006 root@newquill.porcupine.montreal.qc.ca:/disks/nobak/netbsd/netbsd-3.0/src/sys/arch/amd64/compile/QUILL_AMD64 amd64
Architecture: x86_64
Machine: amd64
>Description:
I seem to be getting inconsistent information about CUPS vulnerabilities.
The information at:

  ftp://ftp.NetBSD.org/pub/NetBSD/packages/pkgsrc/print/cups/README.html

lists versions up to and including cups-1.1.23nb4 as vulnerable,
which ought to mean that cups-1.1.23nb5 is okay, but my attempts to
install it result in:

  *** WARNING - 1721,denial-of-service vulnerability in cups-1.1.23nb5
  - see http://secunia.com/advisories/18332/ for more information ***
  *** WARNING - 1722,arbitrary-code-execution vulnerability in
  cups-1.1.23nb5 - see http://secunia.com/advisories/18332/ for more
  information ***
  or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely
  essential

... and sure enough, /usr/pkg/distfiles/pkg-vulnerabilities
(downloaded daily) still this morning was listing:

  cups-[0-9]*             1721,denial-of-service http://secunia.com/advisories/18332/
  cups-[0-9]*             1722,arbitrary-code-execution http://secunia.com/advisories/18332/

... where presumably "cups-[0-9]*" matches all known versions.

The URL states that "The vulnerabilities are caused due to the
use of a vulnerable version of Xpdf".

>How-To-Repeat:
N/A
>Fix:
I'm not sure if this is considered a bug, or if I'm supposed to just
decide that since my version of xpdf is not listed as vulnerable, then
I can ignore this warning.  If so, I'll learn to use the "-i" option
to audit-packages.  But I suspect that this may trip up other people
as well, especially since the CUPS web page in the pkg listing does
not list this vulnerability.  If it's possible, it would be helpful to
get the same story from the vulnerability list and the per-package
webpage.