# php5-gd -- uninitialized memory information disclosure vulnerability



## dave (Jan 24, 2009)

Anyone having this problem?


```
#portmaster -a

[...snip...]

===>>> Starting build for ports that need updating <<<===

===>>> Launching child to update php5-gd-5.2.5

===>>> Port directory: /usr/ports/graphics/php5-gd
===>>> Starting check for build dependencies
===>>> Gathering dependency list for graphics/php5-gd from ports
===>>> Starting dependency check
===>>> Dependency check complete for graphics/php5-gd

===>  Cleaning for php5-gd-5.2.8

===>  php5-gd-5.2.8 has known vulnerabilities:
=> php5-gd -- uninitialized memory information disclosure vulnerability.
   Reference: <http://www.FreeBSD.org/ports/portaudit/58a3c266-db01-11dd-ae30-001cc0377035.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/graphics/php5-gd.
*** Error code 1

Stop in /usr/ports/graphics/php5-gd.

===>>> make failed for graphics/php5-gd
===>>> Aborting update

===>>> Update for php5-gd-5.2.5 failed
===>>> Aborting update
```

I have updated ports tree to no avail.


----------



## ale (Jan 25, 2009)

It means that the port has a vulnerability, for example a bug that could be exploited remotely. It could be a threat to the security of your system using that port.
If you don't care about that, try `# make -DDISABLE_VULNERABILITIES install`


----------



## danger@ (Jan 25, 2009)

If the above solutions is not gonna work for you, the port is probably marked as [font="Courier New"]FORBIDDEN[/font], thus you will have to edit its Makefile and comment out the given line.


----------



## dave (Jan 25, 2009)

DISABLE_VULNERABILITIES worked fine.


----------



## jkcarrol (Jan 28, 2009)

I'm wondering why this has still not been addressed. The VuXML was updated over 3 weeks ago.

I have a gallery2 server that is visible to the internet at large, and it's either a) keep gallery up so $wife doesn't complain or b) take it down to avoid an exploitation.

Anyone know what the hold up is? Has anyone contacted ale@ directly about it? I know there's at least one PR on this.


----------



## dave (Jan 28, 2009)

I have been running a portsnap each morning, expecting an update, but none.  I am surprised, too.  I don't know ale@, but have seen him around on this forum.


----------

