Zen Parse found a local buffer overflow in gv version 3.5.8 and earlier.
Under this vulnerability, an attacker can create a carefully crafted,
malformed PDF or PostScript file that, when viewed using gv, executes
arbitrary commands on the system.
http://marc.theaimsgroup.com/?l=bugtraq&m=103428425111983&w=2
When GV detects that the document is either a PDF file or a
GZip compressed file, it executes some commands with the help of the
system() function. Unfortunately, these commands contain the
filename, which can be considered as untrusted user input. It is then
possible to distribute a file (with a meticulously chosen filename,
that even seems innocent) that causes execution of arbitrary
shell commands when it is read with GV.
http://www.epita.fr/~bevand_m/asa/asa-0000
port.
- why bother creating a man page if we don't install it ?
- our echo does handle \n, so it needs to be protected.
- for that matter, yield a sensible list of directories for OpenBSD.
- INSTALL script that predates dependencies...
And:
- prepare for gs 7.00, detect the version of ghostscript installed,
and tweak resource files to use x11 device with aa options instead
of the older x11alpha. Mark resource files as no checksum accordingly.
Porters: please make sure you use bsd.port.mk 1.75 or later when
updating ports. That version of the makefile adds all sums. Previous
versions of the makefile will still work for people installing ports.
