Number: 128999
Category: ports
Synopsis: [vuxml] [patch] update audio/streamripper to 1.64.0, fix
CVE-2008-4829
Confidential: no
Severity: serious
Priority: high
Responsible:freebsd-ports-bugs
State: open
Quarter:
Keywords:
Date-Required:
Class: sw-bug
Submitter-Id: current-users
Arrival-Date: Wed Nov 19 21:30:14 UTC 2008
Closed-Date:
Last-Modified:
Originator: Eygene Ryabinkin
Release:FreeBSD 7.1-PRERELEASE i386
Organization:
Code Labs
Environment:
System: FreeBSD 7.1-PRERELEASE i386
Description:
Streamripper 1.64.0 is out and this release fixes security vulnerability
discovered by Secunia.
How-To-Repeat:
http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/CHANGES?revision=1.196
http://secunia.com/secunia_research/2008-50/
Fix:
The following patch updates the port to 1.64.0. It works for me: MP3
streams are ripped perfectly.
--- 1.63.5-to-1.64.0-fix-cve-2008-4829.diff begins here ---
diff -urN ./Makefile ../streamripper/Makefile
--- ./Makefile 2008-11-19 23:50:33.0 +0300
+++ ../streamripper/Makefile2008-11-19 23:57:00.0 +0300
@@ -6,7 +6,7 @@
#
PORTNAME= streamripper
-PORTVERSION= 1.63.5
+PORTVERSION= 1.64.0
CATEGORIES=audio
MASTER_SITES= SF \
http://gd.tuwien.ac.at/hci/cdk/:cdk
diff -urN ./distinfo ../streamripper/distinfo
--- ./distinfo 2008-11-19 23:50:33.0 +0300
+++ ../streamripper/distinfo2008-11-19 23:57:19.0 +0300
@@ -1,6 +1,6 @@
-MD5 (streamripper-1.63.5.tar.gz) = 73a63383dca00615c3328cf51bf2fa56
-SHA256 (streamripper-1.63.5.tar.gz) =
877aed28880b904383c4e761c0ecb1e046dbe45126e648110c0292991d1e5b93
-SIZE (streamripper-1.63.5.tar.gz) = 1302177
+MD5 (streamripper-1.64.0.tar.gz) = f8754813ddc2bc96c4c3440e25aca8b6
+SHA256 (streamripper-1.64.0.tar.gz) =
a53f50d26de3610e59a07eaf81cc9da348aaf7b35bc4a302f2e5f6defb1297ae
+SIZE (streamripper-1.64.0.tar.gz) = 839535
MD5 (cdk-5.0-20060507.tgz) = 0ec2460a4484d5f5595d8faca61bc9c5
SHA256 (cdk-5.0-20060507.tgz) =
e823bfcce52916727cb23d6d549a64347c45c364b3c628d6a352c407fce8f4b4
SIZE (cdk-5.0-20060507.tgz) = 396514
--- 1.63.5-to-1.64.0-fix-cve-2008-4829.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
vuln vid=unknown
topicstreamripper -- user-assisted arbitrary code execution/topic
affects
package
namestreamripper/name
rangelt1.64.0/lt/range
/package
/affects
description
body xmlns=http://www.w3.org/1999/xhtml;
pSecunia Research has discovered some vulnerabilities in
Streamripper, which can be exploited by malicious people to
compromise a user's system:/p
blockquote cite=http://secunia.com/secunia_research/2008-50/;
ol
liA boundary error exists within http_parse_sc_header() in
lib/http.c when parsing an overly long HTTP header starting
with ldquo;Zwitterion vrdquo;./li
liA boundary error exists within http_get_pls() in
lib/http.c when parsing a specially crafted pls playlist
containing an overly long entry./li
liA boundary error exists within http_get_m3u() in
lib/http.c when parsing a specially crafted m3u playlist
containing an overly long ldquo;Filerdquo; entry./li
/ol
pSuccessful exploitation allows execution of arbitrary
code, but requires that a user is tricked into connecting
to a malicious server./p
/blockquote
/body
/description
references
cvenameCVE-2008-4829/cvename
urlhttp://secunia.com/secunia_research/2008-50//url
urlhttp://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/CHANGES?revision=1.196/url
/references
dates
discovery2008-11-19/discovery
/dates
/vuln
--- vuln.xml ends here ---
Release-Note:
Audit-Trail:
Unformatted:
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]