Created attachment 229127 [details] archivers/advancecomp: Update to 2.2.g20210429 This updates archivers/advancecomp to a few commits after the 2.1 version. This is needed as CVE-2019-9210, CVE-2019-8383, and CVE-2019-8379 are open in 2.1 but fixed in the git repository. No significant other changes have occurred since version 2.1. While we are at it... - follow project to new upstream - unbundle libdeflate - hook up test suite - add a BZIP2 option - take maintainership of this unmaintained port Relevant upstream changes: - Added support for reading MNG files with depth of 1, 2, and 4 bits. - Fixed a crash condition with invalid ZIP data. - Support ZIPs with data descriptor signature. Tested with Poudriere on armv7 arm64 FreeBSD 13. Test suite passes (if BZIP2 is disabled), portlint is happy. Please MFH this change as it fixes open security problems.
Thank you for taking maintainership and addressing these security issues. - Pending VuXML entry, if you could do that please Robert - BZIP_CONFIGURE_ENABLE=bzip is not used because the disable case doesnt work with the software's current autoconf files.
Approved by: portmgr (blanket: unmaintained port)
Tested successfully with Poudriere on amd64 i386 FreeBSD 12/13.
Created attachment 229256 [details] security/vuxml: add entry for archivers/advancecomp Add vuxml entry
@ports-secteam Do you have cycles to land this?
Please check this example for versioning https://docs.freebsd.org/en/books/porters-handbook/book/#makefile-master_sites-github-ex5 Others look good.
Created attachment 229289 [details] archivers/advancecomp: Update to 2.1-6 Update patch to use recommended DISTVERSION.
Maybe I am wrong, but I have never seen syntax like "2.2.*" in VuXML's affected version and I am not sure if it works. Are you able to change it to a specific version number?
(In reply to Guangyuan Yang from comment #8) There is no version out that fixes this. I had used 2.2.* to cover the version I had originally used for this patch (i.e. 2.2.g20210429). The meaning is: > In a range specification, * (asterisk) denotes the smallest version number. In particular, 2.* is less than 2.a. Therefore an asterisk may be used for a range to match all possible alpha, beta, and RC versions. For instance, <ge>2.</ge><lt>3.</lt> will selectively match every 2.x version while <ge>2.0</ge><lt>3.0</lt> will not since the latter misses 2.r3 and matches 3.b. (see Porter's Handbook, ยง12.3.2 A Short Introduction to VuXML) However it is correct that with the corrected version for this patch, this is no longer correct. Please change the upper bound to <lt>2.1.6</lt> to address this.
(In reply to Guangyuan Yang from comment #8) Hi, Is there anything that prevents this patch from being committed?
(In reply to Robert Clausecker from comment #10) I will take it from here, thanks.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=866e2e83cf2879600df62d4111c32333145b3f0c commit 866e2e83cf2879600df62d4111c32333145b3f0c Author: Robert Clausecker <fuz@fuz.su> AuthorDate: 2021-11-19 09:47:50 +0000 Commit: Guangyuan Yang <ygy@FreeBSD.org> CommitDate: 2021-11-19 09:47:50 +0000 security/vuxml: Document archivers/advancecomp vulnerabilities PR: 259534 security/vuxml/vuln-2021.xml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=684b29d2c7710765c50bd3541723ea4f58b1d474 commit 684b29d2c7710765c50bd3541723ea4f58b1d474 Author: Robert Clausecker <fuz@fuz.su> AuthorDate: 2021-11-19 09:50:36 +0000 Commit: Guangyuan Yang <ygy@FreeBSD.org> CommitDate: 2021-11-19 09:50:36 +0000 archivers/advancecomp: Update to 2.1-6 and take maintainership - Switch to new upstream - Unbundle libdeflate - Hookup test suite - Add a BZIP2 option PR: 259534 MFH: 2021Q4 (security fix) Security: 0bf816f6-3cfe-11ec-86cd-dca632b19f10 archivers/advancecomp/Makefile | 27 +++++++++++++++------- archivers/advancecomp/distinfo | 6 ++--- .../advancecomp/files/patch-Makefile.am (new) | 11 +++++++++ 3 files changed, 33 insertions(+), 11 deletions(-)
A commit in branch 2021Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=862b0bebc530a35bf92ae119066246bc86a21de0 commit 862b0bebc530a35bf92ae119066246bc86a21de0 Author: Robert Clausecker <fuz@fuz.su> AuthorDate: 2021-11-19 09:50:36 +0000 Commit: Guangyuan Yang <ygy@FreeBSD.org> CommitDate: 2021-11-19 09:59:15 +0000 archivers/advancecomp: Update to 2.1-6 and take maintainership - Switch to new upstream - Unbundle libdeflate - Hookup test suite - Add a BZIP2 option PR: 259534 MFH: 2021Q4 (security fix) Security: 0bf816f6-3cfe-11ec-86cd-dca632b19f10 (cherry picked from commit 684b29d2c7710765c50bd3541723ea4f58b1d474) archivers/advancecomp/Makefile | 27 +++++++++++++++------- archivers/advancecomp/distinfo | 6 ++--- .../advancecomp/files/patch-Makefile.am (new) | 11 +++++++++ 3 files changed, 33 insertions(+), 11 deletions(-)