Bug 214546 - www/libwww: Security vulnerabilities
Summary: www/libwww: Security vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Some People
Assignee: Jason Unovitch
URL:
Keywords: patch, security
Depends on: 214532
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-15 20:54 UTC by Danilo G. Baio
Modified: 2016-11-29 23:07 UTC (History)
2 users (show)

See Also:
junovitch: maintainer-feedback+
junovitch: merge-quarterly+


Attachments
libwww-5.4.0_6.patch (18.60 KB, patch)
2016-11-15 20:54 UTC, Danilo G. Baio
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Danilo G. Baio freebsd_committer freebsd_triage 2016-11-15 20:54:42 UTC
Created attachment 177035 [details]
libwww-5.4.0_6.patch

- Add three patches from NetBSD pkgsrc for fix CVE's:
  CVE-2005-3183 (files/patch-Library_src_HTBound.c)
  CVE-2009-3560 (files/patch-modules_expat_xmlparse_xmlparse.c)
  CVE-2009-3720 (files/patch-modules_expat_xmltok_xmltok__impl.c)
- Add License
- Add USES=ssl
- Strip .so files (Q/A warnings)
- Regenerate old patches
- Bump PORTREVISION
   
[Q/A]

portlint: OK (looks fine.)
testport: 
	poudriere: i386,  9.3   (OK)
	poudriere: amd64, 9.3   (OK)
	poudriere: i386,  10.3  (OK)
	poudriere: amd64, 10.3  (OK)
	poudriere: i386,  11    (OK)
	poudriere: amd64, 11    (OK)
	poudriere: i386,  12    (OK)
	poudriere: amd64, 12    (OK)
Comment 1 Danilo G. Baio freebsd_committer freebsd_triage 2016-11-15 21:20:05 UTC
References:

CVE-2005-3183 (files/patch-Library_src_HTBound.c)
http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/libwww/patches/patch-ap

CVE-2009-3560 (files/patch-modules_expat_xmlparse_xmlparse.c)
http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/libwww/patches/patch-as

CVE-2009-3720 (files/patch-modules_expat_xmltok_xmltok__impl.c)
http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/libwww/patches/patch-ar
Comment 2 marius 2016-11-19 10:57:13 UTC
Hi Danilo,

thanks for working on this!
I don't have time to thoroughly test or review the patch,
on a quick glance it looks good to me.

Do you want to take over as a maintainer of this port?

Thanks
Marius
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2016-11-19 11:22:50 UTC
@Danilo Thank you for this, great work
Comment 4 Danilo G. Baio freebsd_committer freebsd_triage 2016-11-19 21:50:38 UTC
Thank you for both feedbacks.
If it's ok for you, I can take maintanership.
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2016-11-29 01:19:00 UTC
Take for review. Should commit tomorrow.
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-11-29 23:00:17 UTC
A commit references this bug:

Author: junovitch
Date: Tue Nov 29 22:59:47 UTC 2016
New revision: 427403
URL: https://svnweb.freebsd.org/changeset/ports/427403

Log:
  www/libwww: address 3 security vulnerabilities; cleanup

  - Add three patches from NetBSD pkgsrc for fix CVE's:
    CVE-2005-3183 (files/patch-Library_src_HTBound.c)
    CVE-2009-3560 (files/patch-modules_expat_xmlparse_xmlparse.c)
    CVE-2009-3720 (files/patch-modules_expat_xmltok_xmltok__impl.c)
  - Add License
  - Add USES=ssl
  - Strip .so files (Q/A warnings)
  - Regenerate old patches
  - Pass MAINTAINER to submitter

  PR:		214546
  Submitted by:	Danilo G. Baio <dbaio@bsd.com.br>
  Approved by:	marius@nuenneri.ch (maintainer)
  Security:	CVE-2009-3720
  Security:	CVE-2009-3560
  Security:	CVE-2005-3183
  Security:	https://vuxml.FreeBSD.org/freebsd/18449f92-ab39-11e6-8011-005056925db4.html
  MFH:		2016Q4

Changes:
  head/www/libwww/Makefile
  head/www/libwww/files/patch-Library__src__HTMIMImp.c
  head/www/libwww/files/patch-Library_src_HTBound.c
  head/www/libwww/files/patch-configure
  head/www/libwww/files/patch-libwww-config.in
  head/www/libwww/files/patch-modules_expat_xmlparse_xmlparse.c
  head/www/libwww/files/patch-modules_expat_xmltok_xmltok__impl.c
Comment 7 commit-hook freebsd_committer freebsd_triage 2016-11-29 23:01:22 UTC
A commit references this bug:

Author: junovitch
Date: Tue Nov 29 23:00:58 UTC 2016
New revision: 427404
URL: https://svnweb.freebsd.org/changeset/ports/427404

Log:
  MFH: r427403

  www/libwww: address 3 security vulnerabilities; cleanup

  - Add three patches from NetBSD pkgsrc for fix CVE's:
    CVE-2005-3183 (files/patch-Library_src_HTBound.c)
    CVE-2009-3560 (files/patch-modules_expat_xmlparse_xmlparse.c)
    CVE-2009-3720 (files/patch-modules_expat_xmltok_xmltok__impl.c)
  - Add License
  - Add USES=ssl
  - Strip .so files (Q/A warnings)
  - Regenerate old patches
  - Pass MAINTAINER to submitter

  PR:		214546
  Submitted by:	Danilo G. Baio <dbaio@bsd.com.br>
  Approved by:	marius@nuenneri.ch (maintainer)
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2009-3720
  Security:	CVE-2009-3560
  Security:	CVE-2005-3183
  Security:	https://vuxml.FreeBSD.org/freebsd/18449f92-ab39-11e6-8011-005056925db4.html

Changes:
_U  branches/2016Q4/
  branches/2016Q4/www/libwww/Makefile
  branches/2016Q4/www/libwww/files/patch-Library__src__HTMIMImp.c
  branches/2016Q4/www/libwww/files/patch-Library_src_HTBound.c
  branches/2016Q4/www/libwww/files/patch-configure
  branches/2016Q4/www/libwww/files/patch-libwww-config.in
  branches/2016Q4/www/libwww/files/patch-modules_expat_xmlparse_xmlparse.c
  branches/2016Q4/www/libwww/files/patch-modules_expat_xmltok_xmltok__impl.c
Comment 8 Jason Unovitch freebsd_committer freebsd_triage 2016-11-29 23:07:01 UTC
Committed. Thanks! The only feedback is we don't to the keywords on patch files (the $FreeBSD$).  Our policy is they all use the nokeywords property (try `cd www/libwww/files; svn proplist *`).