Created attachment 239260 [details] patch to update to viewvc-1.3.0-20230104-a239c4a93093d9f3e0e34ea4d254bde463ad38b1 CVE-2023-22456 and CVE-2023-22464 was published for ViewVC, and these also affect viewvc-1.3.0-20201006-c93d9da79c31457ecb0a771ff52d28353dc6e878. So I'd like to update this port to fixed commit a239c4a93093d9f3e0e34ea4d254bde463ad38b1.
<https://www.freshports.org/devel/viewvc-devel/> CVE-2023-22464 at <https://github.com/viewvc/viewvc/releases/tag/1.1.30>
This patch fixes (In reply to Graham Perrin from comment #1) Are you saying this patch fixes CVE-2023-22464? I agree given the URL above. For CVE-2023-22456, see https://github.com/viewvc/viewvc/issues/311 where a fix was committed "to Enalean/tuleap" - so I conclude that is not patched.
In ViewVC-1.3.0-dev: * CVE-2023-22456 was fixed in 27b93ff235ba99d6b2fdff19982b81070f34e9ad (https://github.com/viewvc/viewvc/commit/27b93ff235ba99d6b2fdff19982b81070f34e9ad) * CVE-2023-22464 was fixed in commit a1db57ea9b22c72f65b06c8f00f246dbea97bb30 (https://github.com/viewvc/viewvc/commit/a1db57ea9b22c72f65b06c8f00f246dbea97bb30) and then record to CHANGES file that CVE-2023-22464 was fixed in commit a239c4a93093d9f3e0e34ea4d254bde463ad38b1 (https://github.com/viewvc/viewvc/commit/a239c4a93093d9f3e0e34ea4d254bde463ad38b1).
ViewVC 1.1.30 is a release on 1.1.x branch, which was supported in devel/viewvc.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f90173ae51b8d453489ddf9c2d84783745473870 commit f90173ae51b8d453489ddf9c2d84783745473870 Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2023-01-05 17:27:12 +0000 Commit: Dan Langille <dvl@FreeBSD.org> CommitDate: 2023-01-05 17:28:59 +0000 devel/viewvc-devel: update to 1.3.0-20230104 fixes CVE-2023-22464b re cross site scripting PR: 268754 Security: CVE-2023-22464 devel/viewvc-devel/Makefile | 8 +++----- devel/viewvc-devel/distinfo | 6 +++--- 2 files changed, 6 insertions(+), 8 deletions(-)
A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ba3d2c278d69f3fd3efa8b00ff832d04928e3d6e commit ba3d2c278d69f3fd3efa8b00ff832d04928e3d6e Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2023-01-05 17:27:12 +0000 Commit: Dan Langille <dvl@FreeBSD.org> CommitDate: 2023-01-05 17:36:37 +0000 devel/viewvc-devel: update to 1.3.0-20230104 fixes CVE-2023-22464b re cross site scripting PR: 268754 Security: CVE-2023-22464 (cherry picked from commit f90173ae51b8d453489ddf9c2d84783745473870) devel/viewvc-devel/Makefile | 8 +++----- devel/viewvc-devel/distinfo | 6 +++--- 2 files changed, 6 insertions(+), 8 deletions(-)
(In reply to Yasuhito FUTATSUKI from comment #3) Ahh, I see now: https://github.com/viewvc/viewvc/commit/a239c4a93093d9f3e0e34ea4d254bde463ad38b1 show both vulns are patched. Thank you.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=210b86be2bf9fa73f96d674eadc662030996cd27 commit 210b86be2bf9fa73f96d674eadc662030996cd27 Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2023-01-05 19:08:43 +0000 Commit: Dan Langille <dvl@FreeBSD.org> CommitDate: 2023-01-05 19:08:43 +0000 security/vuxml: amend entry adding CVE-2023-22456 in devel/viewvc-devel PR: 268754 Security: CVE-2023-22456 security/vuxml/vuln/2023.xml | 5 +++++ 1 file changed, 5 insertions(+)
A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a9a607cfd9cac445aa1241613dae59d0d95a57df commit a9a607cfd9cac445aa1241613dae59d0d95a57df Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2023-01-05 19:08:43 +0000 Commit: Dan Langille <dvl@FreeBSD.org> CommitDate: 2023-01-05 19:10:07 +0000 security/vuxml: amend entry adding CVE-2023-22456 in devel/viewvc-devel PR: 268754 Security: CVE-2023-22456 (cherry picked from commit 210b86be2bf9fa73f96d674eadc662030996cd27) security/vuxml/vuln/2023.xml | 5 +++++ 1 file changed, 5 insertions(+)
(In reply to Yasuhito FUTATSUKI from comment #3) Is there anything I have missed? Sorry, I'm not thinking clearly today - I have a cold.
(In reply to Dan Langille from comment #10) No, as far as I could see, that's all. Thank you very much.
The build fails now with the following error: ": Error from apache.mk. Illegal use of USES= apache:run,24+" After reverting to the previous setting - APACHE_USE= APACHE_RUN=24+, the build fails again but with a different error: ====> Compressing man pages (compress-man) ===> Staging rc.d startup script(s) =========================================================================== =======================<phase: package >============================ ===> Building package for py39-viewvc-devel-1.3.0.20230104 pkg-static: Unable to access file /wrkdirs/usr/ports/devel/viewvc-devel/work-py39/stage/usr/local/viewvc/bin/cvsdbadmin:No such file or directory pkg-static: Unable to access file /wrkdirs/usr/ports/devel/viewvc-devel/work-py39/stage/usr/local/viewvc/bin/loginfo-handler:No such file or directory pkg-static: Unable to access file /wrkdirs/usr/ports/devel/viewvc-devel/work-py39/stage/usr/local/viewvc/bin/make-database:No such file or directory pkg-static: Unable to access file /wrkdirs/usr/ports/devel/viewvc-devel/work-py39/stage/usr/local/viewvc/bin/svndbadmin:No such file or directory *** Error code 1 Stop. make: stopped in /usr/ports/devel/viewvc-devel =>> Cleaning up wrkdir ===> Cleaning for py39-viewvc-devel-1.3.0.20230104 build of devel/viewvc-devel | py39-viewvc-devel-1.3.0.20230104 ended at Thu Jan 5 19:55:31 GMT 2023 build time: 00:00:16 !!! build failure encountered !!! Thanks very much!
I thought twice about making that change in a vuln fix. It passed my testport, so I was OK. Now I see my error. My testport was on the wrong tree. Sorry.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ca41fed073ced0147600138b27472d0ffe86ed0b commit ca41fed073ced0147600138b27472d0ffe86ed0b Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2023-01-05 21:08:38 +0000 Commit: Dan Langille <dvl@FreeBSD.org> CommitDate: 2023-01-05 21:09:37 +0000 devel/viewvc-devel: Fix my broken patch. PR: 268754 Reported by: Alex devel/viewvc-devel/Makefile | 3 ++- devel/viewvc-devel/pkg-plist | 11 +++++++---- 2 files changed, 9 insertions(+), 5 deletions(-)
A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f0b0d0575e63282b192584da01284dfd2ce90803 commit f0b0d0575e63282b192584da01284dfd2ce90803 Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2023-01-05 21:08:38 +0000 Commit: Dan Langille <dvl@FreeBSD.org> CommitDate: 2023-01-05 21:10:11 +0000 devel/viewvc-devel: Fix my broken patch. PR: 268754 Reported by: Alex (cherry picked from commit ca41fed073ced0147600138b27472d0ffe86ed0b) devel/viewvc-devel/Makefile | 3 ++- devel/viewvc-devel/pkg-plist | 11 +++++++---- 2 files changed, 9 insertions(+), 5 deletions(-)
(In reply to Alex from comment #12) How's that now? Sorry for my errors. Thank you for reporting.
it looks good. it builds on HEAD and 2023Q1. thanks very much, Dan! (I enjoy your blog very much)
My thanks to those who contributed to this.
I think I set the vuxml version incorrectly. See https://cgit.freebsd.org/ports/tree/security/vuxml/vuln/2023.xml#n338 I think 1.3.0-20230104 should be 1.3.0.20230104 Do you agree?
(In reply to Dan Langille from comment #19) My proposed change: [dvl@ava-pkg-02prd:/usr/dvl/main/security/vuxml] $ git diff diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index bb2dc0d3af58..da3e9b12e7c1 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -335,7 +335,7 @@ <name>py37-viewvc-devel</name> <name>py38-viewvc-devel</name> <name>py39-viewvc-devel</name> - <range><lt>1.3.0-20230104</lt></range> + <range><lt>1.3.0.20230104</lt></range> </package> </affects> <description>
(In reply to Dan Langille from comment #19) I have no idea about it. On upstream project, its version is "1.3.0-dev" and the next relese version will be "1.3.0", defined in lib/viewvc.py as __version__, and then the version of branch head would be "1.3.1-dev". Versions "*-dev" don't distingish its revisions. So I think the version number of viewvc port can be defined only for FreeBSD port users' benefit.
(In reply to Yasuhito FUTATSUKI from comment #21) `pkg audit` is reporting viewvc-devel-1.3.0.20230104 as vulnerable. See also https://www.freshports.org/devel/viewvc-devel/#history This came to my attention yesterday when I installed the latest viewvc-devel during a server upgrade. At present, `pkg audit` is reporting a false positive for this package. I don't know how to reconcile upstream version against FreeBSD ports tree versions with respect to vuxml. I think it needs to refer to FreeBSD PORTVERSION values when they differ from upstream. That's my guess.
(In reply to Dan Langille from comment #22) I see. The FreeBSD porter's hand book says about the version range [1]: [[[ The version ranges have to allow for PORTEPOCH and PORTREVISION if applicable. Please remember that according to the collation rules, a version with a non-zero PORTEPOCH is greater than any version without PORTEPOCH, for example, 3.0,1 is greater than 3.1 or even than 8.9. ]]] so I think you are right. [1] https://docs.freebsd.org/en/books/porters-handbook/security/#security-notify-vuxml-intro
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=bebf6dfd11d5dd4a0cc5ab74ac0904299dadc471 commit bebf6dfd11d5dd4a0cc5ab74ac0904299dadc471 Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2023-01-13 15:54:35 +0000 Commit: Dan Langille <dvl@FreeBSD.org> CommitDate: 2023-01-13 15:56:28 +0000 security/vuxml: Correct range for devel/viewvc-devel Changing a - to a . in the version PR: 268754 security/vuxml/vuln/2023.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)