Subject: pkg/33031: cups marked as vulnerable, but may have been fixed
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: John Kohl <jtk@kolvir.arlington.ma.us>
List: pkgsrc-bugs
Date: 03/08/2006 13:00:01
>Number:         33031
>Category:       pkg
>Synopsis:       cups marked as vulnerable, but may have been fixed
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Mar 08 13:00:01 +0000 2006
>Originator:     John Kohl
>Release:        NetBSD 3.0
>Organization:
NetBSD Kernel Hackers `R` Us
>Environment:
System: NetBSD desktop.john.kohl.name 3.0 NetBSD 3.0 (KOLVIR-$Revision: 1.64 $) #7: Sat Jan 21 15:58:30 EST 2006 jtk@desktop.john.kohl.name:/u4/sandbox/src/sys/arch/i386/compile/KOLVIR i386
Architecture: i386
Machine: i386

pkgsrc/print/cups/CVS/Entries:

/DESCR/1.2/Tue May  6 17:42:26 2003//
/MESSAGE/1.9/Wed Jun 25 11:47:40 2003//
/MESSAGE.pam/1.2/Tue Sep 24 12:30:32 2002//
/PLIST/1.18/Sun Jul 17 11:40:37 2005//
/buildlink3.mk/1.14/Mon Feb  6 12:40:21 2006//
/Makefile/1.107/Thu Feb 16 12:36:34 2006//
/distinfo/1.38/Wed Feb 22 12:05:47 2006//

pkgsrc/print/cups/patches/CVS/Entries:
/patch-ac/1.12/Mon May 17 10:40:45 2004//
/patch-ad/1.12/Mon May 17 10:40:45 2004//
/patch-ao/1.5/Wed Jun  4 06:08:45 2003//
/patch-at/1.6/Thu Jan  6 18:22:29 2005//
/patch-au/1.4/Thu Mar  3 12:14:21 2005//
/patch-av/1.3/Wed Mar  2 18:33:02 2005//
/patch-aw/1.4/Thu Aug 11 00:03:18 2005//
/patch-an/1.6/Fri Dec 16 13:06:15 2005//
/patch-bf/1.1/Sat Dec 17 04:22:55 2005//
/patch-aa/1.18/Mon Dec 19 16:04:48 2005//
/patch-ae/1.14/Mon Dec 19 16:04:48 2005//
/patch-af/1.16/Mon Dec 19 16:04:48 2005//
/patch-ag/1.18/Mon Dec 19 16:04:48 2005//
/patch-ap/1.6/Wed Feb 15 19:06:13 2006//
/patch-be/1.2/Thu Feb 16 12:36:34 2006//
/patch-ah/1.14/Thu Feb 16 15:52:15 2006//


>Description:
patch-be rev 1.2 says:
revision 1.2
date: 2006/02/15 19:06:13;  author: joerg;  state: Exp;  lines: +58 -19
Port the security fixes for SA181303 from print/xpdf to print/cups.


I think this is supposed to be "18303",
i.e. http://secunia.com/advisories/18303

which is cross-referenced from http://secunia.com/advisories/18332/

pkg-vulnerabilities as of March 6, 2006 has these lines:
cups-[0-9]*             1721,denial-of-service          http://secunia.com/advisories/18332/
cups-[0-9]*             1722,arbitrary-code-execution   http://secunia.com/advisories/18332/


>How-To-Repeat:
	try to build cups-1.1.23nb7
>Fix:
I think pkg-vulnerabilities just needs updating to indicate that the
latest cups packages fix the problem.
(but check with joerg)