Subject: pkg/33031: cups marked as vulnerable, but may have been fixed
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: John Kohl <jtk@kolvir.arlington.ma.us>
List: pkgsrc-bugs
Date: 03/08/2006 13:00:01
>Number: 33031
>Category: pkg
>Synopsis: cups marked as vulnerable, but may have been fixed
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Mar 08 13:00:01 +0000 2006
>Originator: John Kohl
>Release: NetBSD 3.0
>Organization:
NetBSD Kernel Hackers `R` Us
>Environment:
System: NetBSD desktop.john.kohl.name 3.0 NetBSD 3.0 (KOLVIR-$Revision: 1.64 $) #7: Sat Jan 21 15:58:30 EST 2006 jtk@desktop.john.kohl.name:/u4/sandbox/src/sys/arch/i386/compile/KOLVIR i386
Architecture: i386
Machine: i386
pkgsrc/print/cups/CVS/Entries:
/DESCR/1.2/Tue May 6 17:42:26 2003//
/MESSAGE/1.9/Wed Jun 25 11:47:40 2003//
/MESSAGE.pam/1.2/Tue Sep 24 12:30:32 2002//
/PLIST/1.18/Sun Jul 17 11:40:37 2005//
/buildlink3.mk/1.14/Mon Feb 6 12:40:21 2006//
/Makefile/1.107/Thu Feb 16 12:36:34 2006//
/distinfo/1.38/Wed Feb 22 12:05:47 2006//
pkgsrc/print/cups/patches/CVS/Entries:
/patch-ac/1.12/Mon May 17 10:40:45 2004//
/patch-ad/1.12/Mon May 17 10:40:45 2004//
/patch-ao/1.5/Wed Jun 4 06:08:45 2003//
/patch-at/1.6/Thu Jan 6 18:22:29 2005//
/patch-au/1.4/Thu Mar 3 12:14:21 2005//
/patch-av/1.3/Wed Mar 2 18:33:02 2005//
/patch-aw/1.4/Thu Aug 11 00:03:18 2005//
/patch-an/1.6/Fri Dec 16 13:06:15 2005//
/patch-bf/1.1/Sat Dec 17 04:22:55 2005//
/patch-aa/1.18/Mon Dec 19 16:04:48 2005//
/patch-ae/1.14/Mon Dec 19 16:04:48 2005//
/patch-af/1.16/Mon Dec 19 16:04:48 2005//
/patch-ag/1.18/Mon Dec 19 16:04:48 2005//
/patch-ap/1.6/Wed Feb 15 19:06:13 2006//
/patch-be/1.2/Thu Feb 16 12:36:34 2006//
/patch-ah/1.14/Thu Feb 16 15:52:15 2006//
>Description:
patch-be rev 1.2 says:
revision 1.2
date: 2006/02/15 19:06:13; author: joerg; state: Exp; lines: +58 -19
Port the security fixes for SA181303 from print/xpdf to print/cups.
I think this is supposed to be "18303",
i.e. http://secunia.com/advisories/18303
which is cross-referenced from http://secunia.com/advisories/18332/
pkg-vulnerabilities as of March 6, 2006 has these lines:
cups-[0-9]* 1721,denial-of-service http://secunia.com/advisories/18332/
cups-[0-9]* 1722,arbitrary-code-execution http://secunia.com/advisories/18332/
>How-To-Repeat:
try to build cups-1.1.23nb7
>Fix:
I think pkg-vulnerabilities just needs updating to indicate that the
latest cups packages fix the problem.
(but check with joerg)