Am 04.04.2017 um 02:29 schrieb Greg Troxel <gdt%netbsd.org@localhost>:
> The pkgsrc developers are proud to announce the 54th quarterly release
> of pkgsrc, the cross-platform packaging system. pkgsrc is available
> with more than 17500 packages, running on 23 separate platforms; more
> information on pkgsrc itself is available at https://www.pkgsrc.org/
> A neutral overview can be found at https://www.openhub.net/p/pkgsrc
I have a couple of packages installed, and am unable to update them because of security issues for quite a long time since nobody seems to care for them:
Package arc-5.21pnb1 has a directory-traversal vulnerability, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527
Package openjpeg-2.1.2 has a null-pointer-bug vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9114
Package openjpeg-2.1.2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9117
Package openjpeg-2.1.2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9115
Package openjpeg-2.1.2 has a buffer-overflow vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9118
Package openjpeg-2.1.2 has a null-pointer-bug vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9113
Package openjpeg-2.1.2 has a null-pointer-bug vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9116
Package openjpeg-2.1.2 has a floating-point-exception vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9112
Package gdk-pixbuf2-2.36.4 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6311
Package gdk-pixbuf2-2.36.4 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6312
Package gdk-pixbuf2-2.36.4 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6313
Package gdk-pixbuf2-2.36.4 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6314
Package pcre-8.40nb1 has a denial-of-service vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2017-7246
Package pcre-8.40nb1 has a denial-of-service vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2017-7245
Package pcre-8.40nb1 has a denial-of-service vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2017-7244
Package pcre-8.40nb1 has a denial-of-service vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2017-7186
Package mailman-2.1.20 has a cross-site-request-forgery vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6893
Package ghostscript-gpl-9.06nb10 has a null-dereference vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207
Package ghostscript-gpl-9.06nb10 has a use-after-free vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10217
Package ghostscript-gpl-9.06nb10 has a null-dereference vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10218
Package ghostscript-gpl-9.06nb10 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219
Package ghostscript-gpl-9.06nb10 has a null-dereference vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220
Package ghostscript-gpl-9.06nb10 has a null-dereference vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951
Package ghostscript-gpl-9.06nb10 has a heap-overflow vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10317
Package jpeg-9 has a multiple-vulnerabilities vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3616
Package lha-114.9nb4 has a buffer-overflow vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1925
Package libxslt-1.1.29nb1 has a insufficiently-random-numbers vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2015-9019
Package jasper-2.0.10nb2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5498
Package jasper-2.0.10nb2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5499
Package jasper-2.0.10nb2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5500
Package jasper-2.0.10nb2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5501
Package jasper-2.0.10nb2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5502
Package jasper-2.0.10nb2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5503
Package jasper-2.0.10nb2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5504
Package jasper-2.0.10nb2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5505
Package jasper-2.0.10nb2 has a null-dereference vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6850
Package jasper-2.0.10nb2 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6851
Package zziplib-0.13.59 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5974
Package zziplib-0.13.59 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5975
Package zziplib-0.13.59 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5976
Package zziplib-0.13.59 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5977
Package zziplib-0.13.59 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5978
Package zziplib-0.13.59 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5979
Package zziplib-0.13.59 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5980
Package zziplib-0.13.59 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5981
Package cairo-1.14.6 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9082
Package yaml-cpp-0.5.1 has a memory-corruption vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2017-5950
Package mDNSResponder-258.14 has a denial-of-service vulnerability, see https://www.kb.cert.org/vuls/id/143335
Package clamav-0.99.2nb2 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1405
Package tiff-4.0.7nb1 has a arbitrary-memory-access vulnerability, see http://www.securityfocus.com/archive/1/537205
Package tiff-4.0.7nb1 has a multiple-vulnerabilities vulnerability, see https://www.debian.org/security/2016/dsa-3467
Package tiff-4.0.7nb1 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547
Package tiff-4.0.7nb1 has a remote-code-execution vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8331
Package tiff-4.0.7nb1 has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5225
Package tiff-4.0.7nb1 has a out-of-bounds-write vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9453
Package tiff-4.0.7nb1 has a null-dereference vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
Package tiff-4.0.7nb1 has a out-of-bounds-read vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5563
Package tiff-4.0.7nb1 has a buffer-overflow vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10092
Package tiff-4.0.7nb1 has a buffer-overflow vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10093
Package tiff-4.0.7nb1 has a buffer-overflow vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10094
Package tiff-4.0.7nb1 has a buffer-overflow vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10095
Package tiff-4.0.7nb1 has a heap-overflow vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2016-10272
Package tiff-4.0.7nb1 has a heap-overflow vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2016-10269
Package tiff-4.0.7nb1 has a heap-overflow vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2016-10271
Package tiff-4.0.7nb1 has a heap-overflow vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2016-10270
Package tiff-4.0.7nb1 has a out-of-bounds-read vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2016-10268
Package tiff-4.0.7nb1 has a denial-of-service vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2016-10266
Package tiff-4.0.7nb1 has a denial-of-service vulnerability, see https://nvd.nist.gov/vuln/detail/CVE-2016-10267
for arc, in case you wonder, i generated a local patch over a year ago (hence the nb1), but the seems not to influence the vulnerability message. Maybe something more needs to be done to get rid of that.
Anyway, i inline the patch for that. For the others, please advise on who to contact to get things into something like a more secure shape…
Cheers
Oskar
——
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/archivers/arc/Makefile,v
retrieving revision 1.35
diff -u -r1.35 Makefile
--- Makefile 4 Jan 2015 10:43:44 -0000 1.35
+++ Makefile 12 Mar 2016 20:48:46 -0000
@@ -1,6 +1,7 @@
# $NetBSD: Makefile,v 1.35 2015/01/04 10:43:44 wiz Exp $
DISTNAME= arc-5.21p
+PKGREVISION= 1
CATEGORIES= archivers
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=arc/}
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/archivers/arc/distinfo,v
retrieving revision 1.12
diff -u -r1.12 distinfo
--- distinfo 3 Nov 2015 00:56:20 -0000 1.12
+++ distinfo 12 Mar 2016 20:48:46 -0000
@@ -8,3 +8,6 @@
SHA1 (patch-ab) = e85c2698747106a7319db07185bfe0b6e2480974
SHA1 (patch-ac) = 3332d9db5c41fb205ab9f5123b0de0704ae634b3
SHA1 (patch-ad) = b8c7b8a9a0733fb8f4a8963765d3dcd318988afc
+SHA1 (patch-ae) = 7bfce7786201e87c0960a7f691428594185c528d
+SHA1 (patch-af) = b13a46e389350cea90de146f7bc7ca6226d13544
+SHA1 (patch-ag) = 169315fab44e1d153900fede0d99ab5ef93859f1
Index: patches/patch-ae
===================================================================
RCS file: patches/patch-ae
diff -N patches/patch-ae
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ae 12 Mar 2016 20:48:46 -0000
@@ -0,0 +1,12 @@
+--- arcio.c.orig 2015-01-16 13:04:16.000000000 +0100
++++ arcio.c 2015-01-16 15:45:31.389010626 +0100
+@@ -109,6 +109,9 @@ readhdr(hdr, f) /* read a header from
+ #if _MTS
+ (void) atoe(hdr->name, strlen(hdr->name));
+ #endif
++ if (strchr(hdr->name, CUTOFF) != NULL)
++ arcdie("%s contains illegal filename %s", arcname, hdr->name);
++
+ for (i = 0, hdr->size=0; i<4; hdr->size<<=8, hdr->size += dummy[16-i], i++);
+ hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
+ hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
Index: patches/patch-af
===================================================================
RCS file: patches/patch-af
diff -N patches/patch-af
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-af 12 Mar 2016 20:48:46 -0000
@@ -0,0 +1,27 @@
+--- arcmisc.c.orig 2010-08-07 15:06:42.000000000 +0200
++++ arcmisc.c 2015-01-16 16:10:29.322603290 +0100
+@@ -4,6 +4,7 @@
+ */
+
+ #include <stdio.h>
++#include <stdarg.h>
+ #include <ctype.h>
+ #include <unistd.h>
+ #include "arc.h"
+@@ -223,11 +224,13 @@ upper(string)
+ }
+ /* VARARGS1 */
+ VOID
+-arcdie(s, arg1, arg2, arg3)
+- char *s;
++arcdie(const char *s, ...)
+ {
++ va_list args;
+ fprintf(stderr, "ARC: ");
+- fprintf(stderr, s, arg1, arg2, arg3);
++ va_start(args, s);
++ vfprintf(stderr, s, args);
++ va_end(args);
+ fprintf(stderr, "\n");
+ #if UNIX
+ perror("UNIX");
Index: patches/patch-ag
===================================================================
RCS file: patches/patch-ag
diff -N patches/patch-ag
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ag 12 Mar 2016 20:48:46 -0000
@@ -0,0 +1,60 @@
+--- arcio.c.orig 2010-08-07 15:06:42.000000000 +0200
++++ arcio.c 2015-01-16 12:59:43.203289118 +0100
+@@ -37,6 +37,7 @@
+ #endif
+ char name[FNLEN]; /* filename buffer */
+ int try = 0;/* retry counter */
++ int hdrlen;
+ static int first = 1; /* true only on first read */
+
+ if (!f) /* if archive didn't open */
+@@ -92,23 +93,19 @@
+ printf("I think you need a newer version of ARC.\n");
+ exit(1);
+ }
++
+ /* amount to read depends on header type */
++ if (hdrver == 1) {
++ hdrlen = 23; /* old style is shorter */
++ } else {
++ hdrlen = 27;
++ }
+
+- if (hdrver == 1) { /* old style is shorter */
+- if (fread(hdr, sizeof(struct heads) - sizeof(long int), 1, f) != 1)
+- arcdie("%s was truncated", arcname);
+- hdrver = 2; /* convert header to new format */
+- hdr->length = hdr->size; /* size is same when not
+- * packed */
+- } else
+-#if MSDOS
+- if (fread(hdr, sizeof(struct heads), 1, f) != 1)
+- arcdie("%s was truncated", arcname);
+-#else
+- if (fread(dummy, 27, 1, f) != 1)
+- arcdie("%s was truncated", arcname);
++ if (fread(dummy, hdrlen, 1, f) != 1)
++ arcdie("%s was truncated", arcname);
+
+ for (i = 0; i < FNLEN; hdr->name[i] = dummy[i], i++);
++ hdr->name[FNLEN - 1] = 0; /* ensure 0 termination */
+ #if _MTS
+ (void) atoe(hdr->name, strlen(hdr->name));
+ #endif
+@@ -116,8 +113,14 @@
+ hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
+ hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
+ hdr->crc = (short) ((dummy[22] << 8) + dummy[21]);
+- for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++);
+-#endif
++
++ if (hdrver == 1) {
++ hdrver = 2; /* convert header to new format */
++ hdr->length = hdr->size; /* size is same when not
++ * packed */
++ } else {
++ for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++);
++ }
+
+ if (hdr->date > olddate
+ || (hdr->date == olddate && hdr->time > oldtime)) {
Attachment:
smime.p7s
Description: S/MIME cryptographic signature