pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/40334: CVE-2008-2383 fix for pkgsrc/x11/xterm (simple version update)

>Number:         40334
>Category:       pkg
>Synopsis:       CVE-2008-2383 fix for pkgsrc/x11/xterm (simple version update)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 06 17:25:00 +0000 2009
>Originator:     Tim
>Release:        pkgsrc current
>Organization:
Fermilab
>Environment:
SunOS hostname 5.10 Generic_137111-05 sun4u sparc SUNW,Sun-Fire-V440 Solaris

>Description:
xterm < 238 is vulnerable to CVE-2008-2383
the upstream release 238 is available and fixes the security issue

>How-To-Repeat:
cd pkgsrc/x11/xterm
bmake
=> Bootstrap dependency digest>=20010302: found digest-20080510
=> Bootstrap dependency tnftp-[0-9]*: found tnftp-20070806
===> Checking for vulnerabilities in xterm-237
Package xterm-237 has a remote-system-access vulnerability, see: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2383
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URLS in 
audit-packages.conf(5) if this package is absolutely essential.
*** Error code 1

Stop.
bmake: stopped in /usr/pkg/pkgsrc/x11/xterm

>Fix:
cvs diff's:

Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/x11/xterm/Makefile,v
retrieving revision 1.49
diff -u -r1.49 Makefile
--- Makefile    10 Nov 2008 17:21:40 -0000      1.49
+++ Makefile    6 Jan 2009 17:18:48 -0000
@@ -1,7 +1,6 @@
 # $NetBSD: Makefile,v 1.49 2008/11/10 17:21:40 wiz Exp $
 
-DISTNAME=      xterm-237
-PKGREVISION=   1
+DISTNAME=      xterm-238
 CATEGORIES=    x11
 MASTER_SITES=  ftp://invisible-island.net/xterm/ \
                http://www.sfr-fresh.com/unix/misc/
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/x11/xterm/distinfo,v
retrieving revision 1.27
diff -u -r1.27 distinfo
--- distinfo    16 Sep 2008 22:18:26 -0000      1.27
+++ distinfo    6 Jan 2009 17:18:48 -0000
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.27 2008/09/16 22:18:26 bjs Exp $
 
-SHA1 (xterm-237.tgz) = 50ecf5b2c2ed3abd3d1bcdcfe476e9c485723084
-RMD160 (xterm-237.tgz) = 3e64296f5526dc00024f68695078f90ea9b6550c
-Size (xterm-237.tgz) = 860424 bytes
+SHA1 (xterm-238.tgz) = fef9376398b6bca40fed9372af64f08c957c1654
+RMD160 (xterm-238.tgz) = d36c4145a68290be510e529e842407d8b41706df
+Size (xterm-238.tgz) = 862288 bytes
 SHA1 (patch-aa) = f975c694ffd05be7d56adbaf55713fc694e9c997

Note that until /var/db/pkg/pkg-vulnerabilities is updated to correctly show 
that xterm<238 vulnerable rather than xterm-* as vulnerable, the warning will 
remain.  I have emailed pkgsrc-security%NetBSD.org@localhost to request that 
fix.
Home | Main Index | Thread Index | Old Index