From nobody@FreeBSD.org  Fri Jun 28 12:49:55 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id A488EA0E
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 28 Jun 2013 12:49:55 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
	by mx1.freebsd.org (Postfix) with ESMTP id 7C12117F5
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 28 Jun 2013 12:49:55 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r5SCnsBB032305
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 28 Jun 2013 12:49:54 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r5SCns8k032302;
	Fri, 28 Jun 2013 12:49:54 GMT
	(envelope-from nobody)
Message-Id: <201306281249.r5SCns8k032302@oldred.freebsd.org>
Date: Fri, 28 Jun 2013 12:49:54 GMT
From: Frank Broniewski <brfr@metrico.lu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftp/curl-7.24.0_3 library has known vulnerabilities
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         180058
>Category:       ports
>Synopsis:       ftp/curl 7.24.0_3 library has known vulnerabilities
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    sunpoet
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 28 13:00:00 UTC 2013
>Closed-Date:    Tue Jul 02 06:36:05 UTC 2013
>Last-Modified:  Tue Jul 02 06:36:05 UTC 2013
>Originator:     Frank Broniewski
>Release:        9.1-RELEASE-p4
>Organization:
Metrico s. r.l
>Environment:
FreeBSD frodo.metrico 9.1-RELEASE-p4 FreeBSD 9.1-RELEASE-p4 #0: Mon Jun 17 11:42:37 UTC 2013     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
curl fails to build because it is marked as vulnerable:
# portmaster curl
===>>> Currently installed version: curl-7.24.0_3
===>>> Port directory: /usr/ports/ftp/curl

===>>> Gathering distinfo list for installed ports

===>>> Launching 'make checksum' for ftp/curl in background
===>>> Gathering dependency list for ftp/curl from ports
===>>> Initial dependency check complete for ftp/curl


===>>> Starting build for ftp/curl <<<===

===>>> All dependencies are up to date

===>  Cleaning for curl-7.24.0_3
===>>> Waiting on fetch & checksum for ftp/curl <<<===
===>  curl-7.24.0_3 has known vulnerabilities:
Affected package: curl-7.24.0_3
Type of problem: cURL library -- heap corruption in curl_easy_unescape.
Reference: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
=> Please update your ports tree and try again.
*** [check-vulnerable] Error code 1

Stop in /usr/ports/ftp/curl.
===>  Deleting distfiles for curl-7.24.0_3
===>>> RE-STARTING FETCH <<<===


===>  curl-7.24.0_3 has known vulnerabilities:
Affected package: curl-7.24.0_3
Type of problem: cURL library -- heap corruption in curl_easy_unescape.
Reference: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
=> Please update your ports tree and try again.
*** [check-vulnerable] Error code 1

Stop in /usr/ports/ftp/curl.
*** [build] Error code 1

Stop in /usr/ports/ftp/curl.

===>>> make failed for ftp/curl
===>>> Aborting update

===>>> Killing background jobs
Terminated

===>>> You can restart from the point of failure with this command line:
       portmaster <flags> ftp/curl 

===>>> Exiting

>How-To-Repeat:
portmaster curl
>Fix:


>Release-Note:
>Audit-Trail:

From: Hiroki Sato <hrs@FreeBSD.org>
To: brfr@metrico.lu
Cc: freebsd-gnats-submit@FreeBSD.org, hrs@FreeBSD.org
Subject: Re: ports/180058: ftp/curl-7.24.0_3 library has known
 vulnerabilities
Date: Fri, 28 Jun 2013 23:14:47 +0900 (JST)

 ----Security_Multipart(Fri_Jun_28_23_14_47_2013_286)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Frank Broniewski <brfr@metrico.lu> wrote
   in <201306281249.r5SCns8k032302@oldred.freebsd.org>:
 
 br> curl fails to build because it is marked as vulnerable:
 
  Here is a patch:
 
   http://people.allbsd.org/~hrs/FreeBSD/curl-7.31.0_20130628-1.diff
 
  Please test this.
 
 -- Hiroki
 
 ----Security_Multipart(Fri_Jun_28_23_14_47_2013_286)--
 Content-Type: application/pgp-signature
 Content-Transfer-Encoding: 7bit
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.13 (FreeBSD)
 
 iEYEABECAAYFAlHNmlcACgkQTyzT2CeTzy1kgwCbB3PH/C5SfkCH2tL4GZmaQnfS
 lmIAoLL45iYFZAsUQt9guTyki1UoPK7q
 =O8UG
 -----END PGP SIGNATURE-----
 
 ----Security_Multipart(Fri_Jun_28_23_14_47_2013_286)----
Responsible-Changed-From-To: freebsd-ports-bugs->sunpoet 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Fri Jun 28 22:31:27 UTC 2013 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=180058 

From: Frank Broniewski <brfr@metrico.lu>
To: Hiroki Sato <hrs@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/180058: ftp/curl-7.24.0_3 library has known vulnerabilities
Date: Mon, 01 Jul 2013 09:13:19 +0200

 Am 2013-06-28 16:14, schrieb Hiroki Sato:
 > Frank Broniewski <brfr@metrico.lu> wrote
 >    in <201306281249.r5SCns8k032302@oldred.freebsd.org>:
 >
 > br> curl fails to build because it is marked as vulnerable:
 >
 >   Here is a patch:
 >
 >    http://people.allbsd.org/~hrs/FreeBSD/curl-7.31.0_20130628-1.diff
 >
 >   Please test this.
 >
 > -- Hiroki
 >
 
 Hi Hiroki,
 
 thanks for the patch. The weekend hindered me from testing the patch 
 earlier. I applied the patch just now and building curl works again.
 
 Frank
 
 -- 
 Frank BRONIEWSKI
 
 METRICO s. r.l.
 gomtres
 technologies d'information gographique
 rue des Romains 36
 L-5433 NIEDERDONVEN
 
 tl.: +352 26 74 94 - 28
 fax.: +352 26 74 94 99
 http://www.metrico.lu
State-Changed-From-To: open->closed 
State-Changed-By: delphij 
State-Changed-When: Tue Jul 2 06:35:42 UTC 2013 
State-Changed-Why:  
Duplicate of ports/172325. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=180058 
>Unformatted:
