Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages

[Thomas Klausner <wiz%NetBSD.org@localhost>]

On Tue, Apr 05, 2011 at 11:18:56AM +0200, Thomas Klausner wrote:
> On Tue, Apr 05, 2011 at 11:14:26AM +0200, Thomas Klausner wrote:
> > On Tue, Apr 05, 2011 at 11:35:59AM +0900, Makoto Fujiwara wrote:
> > > I have generated this patch.
> > >     http://www.ki.nu/~makoto/pkgsrc/misc/xdg-utils-1.0.2nb1
> > > 
> > > I did not confirm patched version is vulnerable or not. 
> > > I just picked up the diffs of following commit.
> > > 
> > >   2008-01-24 Kevin Krammer <kevin.krammer%gmx.at@localhost>
> > >       * Fixing security issue in xdg-email and xdg-open at replacing
> > >         parameter in $BROWSER
> > 
> > I've committed this, thank you!
> 
> When I looked at the vulnerabilities file again, I saw that it only
> contained an entry for
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0068
> while the patches fix
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0386
> 
> So more work to do here :(

Also, drochner reported that the patches break the scripts on most
shells. So either we additionally depend on bash (which we'd like to
avoid) or we fix them differently.

I've backed out the patches for now, waiting for a better solution.
 Thomas