Subject: CVS commit: pkgsrc/audio/ezstream
From: Sergey Svishchev
Date: 2015-10-13 20:02:10
Message id: 20151013180211.0A83F98@cvs.netbsd.org

Log Message:
Update to 0.6.0.  Changes:

 * This release contains a SECURITY FIX for a command injection vulnerability
   that was found and reported by Alexandre Rebert:

   The previous handling of metadata placeholders allowed for arbitrary shell
   commands to be trivially injected and executed as the ezstream user, via
   malicious media files.

 * This release requires users to ADJUST their CONFIGURATION:

   To protect against the injection vulnerability above, metadata is now
   properly quoted and escaped from the shell. This means that any extra
   quoting must be removed from configuration files.

   Remove all quoting from metadata placeholders in <encode/> and \ 
<decode/>
   commands, e.g. replace "@M@" with @M@, and "@T@" with \ 
@T@, etc. Without
   these changes, stream metadata will look both wrong and the injection
   vulnerability may be re-introduced.

Files:
RevisionActionfile
1.8modifypkgsrc/audio/ezstream/Makefile
1.3modifypkgsrc/audio/ezstream/distinfo