Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id A4EA6A6562 for ; Tue, 13 Oct 2015 18:02:12 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 444CF14A3BE; Tue, 13 Oct 2015 18:02:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 895E314A3BD for ; Tue, 13 Oct 2015 18:02:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 1hOWGRHL5A4q for ; Tue, 13 Oct 2015 18:02:11 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 1630B14A2CB for ; Tue, 13 Oct 2015 18:02:11 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 0A83F98; Tue, 13 Oct 2015 18:02:11 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Tue, 13 Oct 2015 18:02:11 +0000 From: "Sergey Svishchev" Subject: CVS commit: pkgsrc/audio/ezstream To: pkgsrc-changes@NetBSD.org Reply-To: shattered@netbsd.org X-Mailer: log_accum Message-Id: <20151013180211.0A83F98@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: shattered Date: Tue Oct 13 18:02:10 UTC 2015 Modified Files: pkgsrc/audio/ezstream: Makefile distinfo Log Message: Update to 0.6.0. Changes: * This release contains a SECURITY FIX for a command injection vulnerability that was found and reported by Alexandre Rebert: The previous handling of metadata placeholders allowed for arbitrary shell commands to be trivially injected and executed as the ezstream user, via malicious media files. * This release requires users to ADJUST their CONFIGURATION: To protect against the injection vulnerability above, metadata is now properly quoted and escaped from the shell. This means that any extra quoting must be removed from configuration files. Remove all quoting from metadata placeholders in and commands, e.g. replace "@M@" with @M@, and "@T@" with @T@, etc. Without these changes, stream metadata will look both wrong and the injection vulnerability may be re-introduced. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 pkgsrc/audio/ezstream/Makefile cvs rdiff -u -r1.2 -r1.3 pkgsrc/audio/ezstream/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.