curl and CVE-2013-2174

Robert Simmons rsimmons0 at gmail.com
Wed Jul 3 04:55:21 UTC 2013 

Is there a way to do something similar with portmaster?  I don't have
portaudit installed b/c pkgng provides the same functionality.  I'm
getting the following error:

===>  curl-7.24.0_4 has known vulnerabilities:
curl-7.24.0_4 is vulnerable:
cURL library -- heap corruption in curl_easy_unescape

WWW: http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
=> Please update your ports tree and try again.
*** [check-vulnerable] Error code 1


On Tue, Jul 2, 2013 at 11:37 PM,  <krichy at tvnetwork.hu> wrote:
>
> Thanks, I should have tried that.
>
>
>
> Kojedzinszky Richard
> Euronet Magyarorszag Informatikai Zrt.
>
> On Tue, 2 Jul 2013, Ryan Steinmetz wrote:
>
>> Date: Tue, 2 Jul 2013 23:19:11 -0400
>> From: Ryan Steinmetz <zi at FreeBSD.org>
>> To: krichy at tvnetwork.hu
>> Cc: FreeBSD-Security at freebsd.org
>> Subject: Re: curl and CVE-2013-2174
>>
>>
>>
>> On (07/03/13 05:01), krichy at tvnetwork.hu wrote:
>>>
>>> Dear members,
>>>
>>> It may sound a silly question. I have curl installed:
>>> # pkg_info |grep curl
>>> curl-7.24.0_3       Non-interactive tool to get files from FTP, GOPHER,
>>> HTTP(S)
>>>
>>> Today portsnap updated the ftp/curl port, and patch-CVE-2013-2174
>>> appeared
>>> in files/, but the port version remained such that portaudit, and
>>> portupgrade still complain about curl's version. What is the recommended
>>> way to upgrade the package?
>>
>>
>> Run:
>>
>> portaudit -Fda
>>
>> Then try your upgrade again.
>>
>> -r
>>
>>
>>>
>>> # portupgrade curl-7.24.0_3
>>> --->  Upgrading 'curl-7.24.0_3' to 'curl-7.24.0_4' (ftp/curl)
>>> --->  Building '/usr/ports/ftp/curl'
>>> ===>  Cleaning for curl-7.24.0_4
>>> ===>  curl-7.24.0_4 has known vulnerabilities:
>>> Affected package: curl-7.24.0_4
>>> Type of problem: cURL library -- heap corruption in curl_easy_unescape.
>>> Reference:
>>> http://portaudit.FreeBSD.org/01cf67b3-dc3b-11e2-a6cd-c48508086173.html
>>> => Please update your ports tree and try again.
>>> *** [check-vulnerable] Error code 1
>>>
>>> Stop in /usr/ports/ftp/curl.
>>> *** [build] Error code 1
>>>
>>> Stop in /usr/ports/ftp/curl.
>>> ** Command failed [exit code 1]: /usr/bin/script -qa
>>> /tmp/portupgrade20130702-47232-1m2otkk env UPGRADE_TOOL=portupgrade
>>> UPGRADE_PORT=curl-7.24.0_3 UPGRADE_PORT_VER=7.24.0_3 make
>>> ** Fix the problem and try again.
>>> ** Listing the failed packages (-:ignored / *:skipped / !:failed)
>>>         ! ftp/curl (curl-7.24.0_3)      (unknown build error)
>>>
>>> Thanks in advance,
>>>
>>>
>>> Kojedzinszky Richard
>>> Euronet Magyarorszag Informatikai Zrt.
>>> _______________________________________________
>>> freebsd-security at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>>> To unsubscribe, send any mail to
>>> "freebsd-security-unsubscribe at freebsd.org"
>>
>>
>> --
>> Ryan Steinmetz
>> PGP: EF36 D45A 5CA9 28B1 A550  18CD A43C D111 7AD7 FAF2
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to
>> "freebsd-security-unsubscribe at freebsd.org"
>>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list