Bug 203761 - [MAINTAINER] net-p2p/bitcoin: Chase net/miniupnpc update, Resolve security vulnerability
Summary: [MAINTAINER] net-p2p/bitcoin: Chase net/miniupnpc update, Resolve security vu...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jan Beich
URL: http://talosintel.com/reports/TALOS-2...
Keywords: easy, patch, patch-ready, regression
Depends on:
Blocks: 203705
  Show dependency treegraph
 
Reported: 2015-10-14 07:23 UTC by robbak
Modified: 2015-10-14 15:00 UTC (History)
2 users (show)

See Also:
robbak: maintainer-feedback+
koobs: merge-quarterly?


Attachments
Makefile patch to bump portrevision, chasing miniupnpc upgrade (230 bytes, patch)
2015-10-14 07:23 UTC, robbak
no flags Details | Diff
Patch to bump portrevision, chasing miniupnpc upgrade (1.12 KB, patch)
2015-10-14 08:59 UTC, robbak
robbak: maintainer-approval+
Details | Diff
Portlint output. (373 bytes, text/plain)
2015-10-14 11:28 UTC, robbak
no flags Details
Poudriere log of build. (259.29 KB, text/plain)
2015-10-14 11:43 UTC, robbak
no flags Details
Patch to bump portrevision, chasing miniupnpc upgrade; pet portlint (1.42 KB, patch)
2015-10-14 11:45 UTC, robbak
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description robbak 2015-10-14 07:23:17 UTC
Created attachment 162015 [details]
Makefile patch to bump portrevision, chasing miniupnpc upgrade

This patch to Makefile chases the net/miniupnpc upgrade, which will resolve the buffer overflow bug referenced in http://talosintel.com/reports/TALOS-2015-0035 for the bitcoin ports.
Comment 1 robbak 2015-10-14 07:35:54 UTC
Hold off on this - I've just found a build error from miniupnpc
Comment 2 robbak 2015-10-14 08:59:27 UTC
Created attachment 162019 [details]
Patch to bump portrevision, chasing miniupnpc upgrade

Corrected patch to chase miniupnpc upgrade. A function definition had changed, so we needed to pick a patch for src/net.cpp to allow for this.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2015-10-14 10:21:04 UTC
robbak, could you provide QA (portlint, poudriere) results as attachments please
Comment 4 robbak 2015-10-14 11:28:26 UTC
Created attachment 162028 [details]
Portlint output.
Comment 5 robbak 2015-10-14 11:43:09 UTC
Created attachment 162029 [details]
Poudriere log of build.
Comment 6 robbak 2015-10-14 11:45:24 UTC
Created attachment 162030 [details]
Patch to bump portrevision, chasing miniupnpc upgrade; pet portlint

Slight adjustment, as reccomended by portlint
Comment 7 commit-hook freebsd_committer freebsd_triage 2015-10-14 14:58:01 UTC
A commit references this bug:

Author: jbeich
Date: Wed Oct 14 14:57:34 UTC 2015
New revision: 399270
URL: https://svnweb.freebsd.org/changeset/ports/399270

Log:
  net-p2p/bitcoin: chase r399209

  https://github.com/miniupnp/miniupnp/commit/1da63faa4fff5cb30e5d4b848ceef80a292382b9

  PR:		203761
  Submitted by:	robbak@gmail.com (based on)
  Obtained from:	upstream
  MFH:		2015Q4
  X-MFH-With:	r399209

Changes:
  head/net-p2p/bitcoin/Makefile
  head/net-p2p/bitcoin/files/patch-src_net.cpp
  head/net-p2p/bitcoin-utils/Makefile
Comment 8 Jan Beich freebsd_committer freebsd_triage 2015-10-14 15:00:19 UTC
Bug 203705 is 'security' fix while 'regression' here is about build breakage and runtime crash due to API/ABI changes. There's nothing to fix until that bug is MFH'd first.

net-p2p/bitcoin-utils lacks UPNP option, so no need to bump PORTREVISION there.