pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: xdg-utils-1.0.2 (Re: [HEADSUP] Removing vulnerable packages
On Tue, Apr 05, 2011 at 11:18:56AM +0200, Thomas Klausner wrote:
> On Tue, Apr 05, 2011 at 11:14:26AM +0200, Thomas Klausner wrote:
> > On Tue, Apr 05, 2011 at 11:35:59AM +0900, Makoto Fujiwara wrote:
> > > I have generated this patch.
> > > http://www.ki.nu/~makoto/pkgsrc/misc/xdg-utils-1.0.2nb1
> > >
> > > I did not confirm patched version is vulnerable or not.
> > > I just picked up the diffs of following commit.
> > >
> > > 2008-01-24 Kevin Krammer <kevin.krammer%gmx.at@localhost>
> > > * Fixing security issue in xdg-email and xdg-open at replacing
> > > parameter in $BROWSER
> >
> > I've committed this, thank you!
>
> When I looked at the vulnerabilities file again, I saw that it only
> contained an entry for
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0068
> while the patches fix
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0386
>
> So more work to do here :(
Also, drochner reported that the patches break the scripts on most
shells. So either we additionally depend on bash (which we'd like to
avoid) or we fix them differently.
I've backed out the patches for now, waiting for a better solution.
Thomas
Home |
Main Index |
Thread Index |
Old Index