221867 – [patch] graphics/atril update to 1.18.1 to fix CVE-2017-1000083

Bug 221867 - [patch] graphics/atril update to 1.18.1 to fix CVE-2017-1000083

Summary: [patch] graphics/atril update to 1.18.1 to fix CVE-2017-1000083

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-gnome (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2017-08-27 21:00 UTC by rkoberman
Modified:	2017-11-11 01:03 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (gnome)

Attachments
svn diff to update graphics/atril to 1.18.1 (Vulnerability fix) (872 bytes, text/plain) 2017-08-27 21:00 UTC, rkoberman	no flags	Details
[patch] update vuxml for atril (608 bytes, patch) 2017-08-28 19:44 UTC, John Hein	no flags	Details \| Diff
Corrected patch to update graphics/atril to 1.18.1 (1.19 KB, patch) 2017-08-29 00:21 UTC, rkoberman	no flags	Details \| Diff
Companion fix for graphics/atril-lite slave port (641 bytes, patch) 2017-08-29 00:34 UTC, rkoberman	no flags	Details \| Diff
Corrected PORTEVISION (1.19 KB, patch) 2017-08-29 02:33 UTC, rkoberman	no flags	Details \| Diff
Corrected PORTEVISION (642 bytes, patch) 2017-08-29 02:34 UTC, rkoberman	no flags	Details \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description rkoberman 2017-08-27 21:00:51 UTC

Created attachment 185828 [details]
svn diff to update graphics/atril to 1.18.1 (Vulnerability fix)

Atril is vulnerable to CVE-2017-1000083. This was resolved upstream over a month ago by disabling .cbt files and the fix was merged into 1.18.1. This is a simple PORTVERSION change plus updated distfiles.

Tested on amd64 on 11.1.

NOTE: The vuxml file shows this as fixed in 1.19.0. This is incorrect because 1.19.0 does not fix hte vulnerability and the fix was merged into both 1.18 and 1.19 and new releases generated as 1.18.1 and 1.19.1. 1.19 is a development release, so the update is to 1.18.1. I am not sure how to get the vuxml updated.

Comment 1 John Hein 2017-08-27 23:00:45 UTC

(In reply to rkoberman from comment #0)
Instead of removing PORTREVISION?=1 in graphics/atril/Makefile change it to 0.  Also change it to 0 in the atril-lite slave port.

Comment 2 John Hein 2017-08-27 23:08:58 UTC

(In reply to John Hein from comment #1)
Also remove CR line endings from your patch.

Comment 3 rkoberman 2017-08-28 02:17:39 UTC

(In reply to John Hein from comment #1)
Guess I have not worked on a pert for an updated PORTVERSION since this changed back in February. Won't so it again.

Comment 4 rkoberman 2017-08-28 02:19:29 UTC

(In reply to John Hein from comment #2)
Sorry. I usually output the diff to a file, but this was so small I just cut and  pasted it.  I'll try to not do that again.

Comment 5 John Hein 2017-08-28 19:44:58 UTC

Created attachment 185845 [details]
[patch] update vuxml for atril

Kevin, if what you say is correct about the versions, attached is a vuxml update.  You may want to get the attention of ports-secteam@freebsd.org for that (maybe just add them to the CC list here?) - see also bug 220713.

Comment 6 John Hein 2017-08-28 23:16:10 UTC

(In reply to rkoberman from comment #4)
Kevin, please attach an updated patch with the CRs removed and PORTREVISION set properly for atril & atril-lite.

For general info: atril-1.18.1 built from this patch works fine for me - test with some PDF viewing.

Comment 7 rkoberman 2017-08-29 00:21:53 UTC

Created attachment 185852 [details]
Corrected patch to update graphics/atril to 1.18.1

Updated patch to (mostly) make portlint happy.

Comment 8 rkoberman 2017-08-29 00:34:28 UTC

Created attachment 185853 [details]
Companion fix for graphics/atril-lite slave port

Patch to graphics/atril-lite (slave port) fixed to make portlint (mostly) happy. No real change except PORTREVISION.

Comment 9 John Hein 2017-08-29 01:16:25 UTC

(In reply to rkoberman from comment #7)
Thanks.  But it's best to use PORTREVISION?= in atril because of the slave port.

Comment 10 rkoberman 2017-08-29 02:33:58 UTC

Created attachment 185855 [details]
Corrected PORTEVISION

Comment 11 rkoberman 2017-08-29 02:34:56 UTC

Created attachment 185856 [details]
Corrected PORTEVISION

Comment 12 commit-hook freebsd_committer

2017-09-06 18:26:07 UTC

A commit references this bug:

Author: truckman
Date: Wed Sep  6 18:25:05 UTC 2017
New revision: 449351
URL: https://svnweb.freebsd.org/changeset/ports/449351

Log:
  Correct vulnerability range for atril and atril-lite.

  PR:		221867
  Submitted by:	rkoberman@gmail.com
  Security:	CVE-2017-1000083

Changes:
  head/security/vuxml/vuln.xml

Comment 13 commit-hook freebsd_committer

2017-09-06 18:35:16 UTC

A commit references this bug:

Author: truckman
Date: Wed Sep  6 18:34:46 UTC 2017
New revision: 449354
URL: https://svnweb.freebsd.org/changeset/ports/449354

Log:
  Upgrade graphics/atril and graphics/atril-lite to version 1.18.1 to
  fix CVE-2017-1000083.

  Fix portlint warnings.

  PR:		221867
  Submitted by:	rkoberman@gmail.com
  MFH:		2017Q3
  Security:	01a197ca-67f1-11e7-a266-28924a333806

Changes:
  head/graphics/atril/Makefile
  head/graphics/atril/distinfo
  head/graphics/atril-lite/Makefile

Comment 14 John Hein 2017-11-10 22:43:36 UTC

Why is this bug still open?

Comment 15 Don Lewis freebsd_committer

2017-11-11 01:03:06 UTC

Fixed in r449354, which is included in the 2017Q4 quarterly branch.