A security issue (buffer overflow in parsing HTML) has been fixed in tidy 4.9.31. https://github.com/htacg/tidy-html5/issues/217 It seems there are a few versions of tidy in the ports tree: - www/tidy-html5 is tidy 4.9.30, which should be bumped to 4.9.31 - www/tidy-devel is libtidy-0.99 or tidy 090315-cvs on sourceforge, which looks abandoned since 2009 - www/tidy-lib just depends on tidy-devel - www/tidy is tidy 20000804, and looks abandoned since 2000 If I parse the github issue correctly: - www/tidy-html5 is vulnerable - www/tidy-devel is vulnerable. It has the affected code part in tmbstr.c. Bug report says: "I can confirm this BUG exists in the 2008/9 libtidy.0.99.so last release, the sourceforge cvs tidy, which is still present in some distributions. Just the quite unique nature of using 'code' ending in spaces or a newline just before an attribute with a 'blank' value prevents it from being seens more often." - www/tidy seems NOT vulnerable. It does not seem to have the affected code snippet. Bug report says: "Interestingly, it is NOT present in TidyAug2000 [...]" The solution for www/tidy-html5 seems a trivial version bump, but the www/tidy-devel upstream seems unmaintained, so we possibly should add a patch. Alternatively, if tidy-html5 is more-or-less a drop-in replacement for tidy-devel, it might be a good moment to get rid of the unmaintained www/tidy and www/tidy-devel ports.
A commit references this bug: Author: thierry Date: Mon Jun 8 16:59:41 UTC 2015 New revision: 388845 URL: https://svnweb.freebsd.org/changeset/ports/388845 Log: Upgrade to 5.9.32. This fixes a security problem (heap-buffer-overflow): see https://github.com/htacg/tidy-html5/issues/217 PR: ports/200631 Submitted by: Walter Hop Security: https://github.com/htacg/tidy-html5/issues/217 Changes: head/www/tidy-html5/Makefile head/www/tidy-html5/distinfo
www/tidy-html5 has been upgraded to the latest release (4.9.32). I have a plan to make it the default tidy (see PR ports/198138), but it is still considered as beta ATM. A patch for www/tidy-devel would be appreciated (and surely for www/tidy too!). It seems that www/tidy (the legacy version) is still used by textproc/p5-EBook-Tools and I don't know if it could be replaced by a modern version (dinoex@ is Cc:'ed).
A commit references this bug: Author: thierry Date: Mon Jun 8 17:30:49 UTC 2015 New revision: 388847 URL: https://svnweb.freebsd.org/changeset/ports/388847 Log: Add an entry for www/tidy-* heap-buffer-overflow. PR: ports/200631 Submitted by: Walter Hop Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: thierry Date: Mon Jun 8 18:06:09 UTC 2015 New revision: 388849 URL: https://svnweb.freebsd.org/changeset/ports/388849 Log: Backport the fix from www/tidy-html5. PR: ports/200631 Submitted by: Walter Hop Security: VuXML: bd1ab7a5-0e01-11e5-9976-a0f3c100ae18 Changes: head/www/tidy-devel/Makefile head/www/tidy-devel/files/patch-build_gmake_Makefile head/www/tidy-devel/files/patch-build_gnuauto_configure.in head/www/tidy-devel/files/patch-build_gnuauto_include_Makefile.am head/www/tidy-devel/files/patch-console__tidy.c head/www/tidy-devel/files/patch-include_platform.h head/www/tidy-devel/files/patch-src_lexer.c head/www/tidy-devel/pkg-plist
A commit references this bug: Author: thierry Date: Tue Jun 16 16:52:52 UTC 2015 New revision: 389854 URL: https://svnweb.freebsd.org/changeset/ports/389854 Log: MFH: r388849 Backport the fix from www/tidy-html5. PR: ports/200631 Submitted by: Walter Hop Security: VuXML: bd1ab7a5-0e01-11e5-9976-a0f3c100ae18 Approved by: ports-secteam (implicit) Reminded by: Fabiano Sidler Changes: _U branches/2015Q2/ branches/2015Q2/www/tidy-devel/Makefile branches/2015Q2/www/tidy-devel/files/patch-build_gmake_Makefile branches/2015Q2/www/tidy-devel/files/patch-build_gnuauto_configure.in branches/2015Q2/www/tidy-devel/files/patch-build_gnuauto_include_Makefile.am branches/2015Q2/www/tidy-devel/files/patch-console__tidy.c branches/2015Q2/www/tidy-devel/files/patch-include_platform.h branches/2015Q2/www/tidy-devel/files/patch-src_lexer.c branches/2015Q2/www/tidy-devel/pkg-plist
Created attachment 158783 [details] security/vuxml update for CVE assignment - Document assignment of CVE-2015-5522 and CVE-2015-5523 for tidy heap buffer overflow Reference Mitre's cve-assign: http://seclists.org/oss-sec/2015/q3/116
A commit references this bug: Author: feld Date: Wed Jul 15 15:19:54 UTC 2015 New revision: 392155 URL: https://svnweb.freebsd.org/changeset/ports/392155 Log: Reference another URL for tidy's CVE PR: 200631 Security: bd1ab7a5-0e01-11e5-9976-a0f3c100ae18 Changes: head/security/vuxml/vuln.xml
Is there anything else outstanding or can this bug be closed?
(In reply to Mark Felder from comment #8) Yes: the original www/tidy should be patched or removed! Cc: dinoex
(In reply to Mark Felder from comment #8) Mark, textproc/p5-EBook-Tools uses www/tidy as a runtime dep. Interestingly enough this functionality is currently broken. See below. # ebook tidyxml /usr/ports/security/vuxml/vuln.xml Can't exec "tidy": No such file or directory at /usr/local/lib/perl5/site_perl/EBook/Tools.pm line 6812. Tidy did something unexpected (return value=-1). Check all output. at /usr/local/bin/ebook line 1383. I just open bug 201703 with a patch to update the port's dependency to use www/tidy-html5 along with ensuring that tidy actually works. While there, I went ahead and updated it to the latest 0.5.4 version. Once that is done we could consider www/tidy for removal.
(In reply to Jason Unovitch from comment #10) Bug 201703 for textproc/p5-EBook-Tools is closed so that is one less dependency blocking a removal of the old www/tidy port. I didn't notice on my first look that www/bluefish also refers to www/tidy.
This is surely overcome by events or fixed and can be closed.