Bug 270906 - textproc/libxml2: SecurityUpdate to 2.10.4
Summary: textproc/libxml2: SecurityUpdate to 2.10.4
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Dima Panov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-18 02:43 UTC by takefu
Modified: 2023-04-27 22:58 UTC (History)
12 users (show)

See Also:
bugzilla: maintainer-feedback? (desktop)

Attachments
libxml2-2.10.4.patch (6.51 KB, patch)
2023-04-18 02:43 UTC, takefu 		no flags Details | Diff
Reformatted patch (6.51 KB, patch)
2023-04-24 22:28 UTC, George Mitchell 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description takefu 2023-04-18 02:43:50 UTC 
Created attachment 241552 [details]
libxml2-2.10.4.patch

fix:
  PORTCLIPPY(1) Compliant
  LIBXML2_SLAVE STRIP shared object files


v2.10.4: Apr 11 2023

### Security

- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

### Regressions

- SAX2: Ignore namespaces in HTML documents
- io: Fix "buffer full" error with certain buffer sizes
Comment 1 takefu 2023-04-18 02:55:35 UTC 
bug #262613 should be closed.
Comment 2 George Mitchell 2023-04-24 22:28:06 UTC 
Created attachment 241722 [details]
Reformatted patch

(In reply to takefu from comment #0)
I have taken your patch and reformatted it more conventionally, so one can cd to /usr/ports and patch -p1 <reformatted-patch and have it apply cleanly.  It's still the same patch.
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-04-27 18:27:12 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=acd6567eeccaba062051ae4571c3d20c355383ac

commit acd6567eeccaba062051ae4571c3d20c355383ac
Author:     Dima Panov <fluffy@FreeBSD.org>
AuthorDate: 2023-04-27 18:07:36 +0000
Commit:     Dima Panov <fluffy@FreeBSD.org>
CommitDate: 2023-04-27 18:25:56 +0000

    textproc/libxml2: update to 2.10.14 security release (+)

    - [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
    - [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
    - schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

    - SAX2: Ignore namespaces in HTML documents
    - io: Fix "buffer full" error with certain buffer sizes

    PR:             270906
    Security:       0bd7f07b-dc22-11ed-bf28-589cfc0f81b0

    Sponsored by:   Serenity Cybersecurity, LLC

 textproc/libxml2/Makefile | 22 ++++++++++------------
 textproc/libxml2/distinfo |  6 +++---
 2 files changed, 13 insertions(+), 15 deletions(-)
Comment 4 Dima Panov freebsd_committer freebsd_triage 2023-04-27 19:37:25 UTC 
Updated, thanks
Comment 5 Michael Osipov 2023-04-27 20:38:23 UTC 
Any chance for 2023Q2?
Comment 6 commit-hook freebsd_committer freebsd_triage 2023-04-27 22:58:59 UTC 
A commit in branch 2023Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=11a2be5f1911d9e357a87eb302d84d3adf16a783

commit 11a2be5f1911d9e357a87eb302d84d3adf16a783
Author:     Dima Panov <fluffy@FreeBSD.org>
AuthorDate: 2023-04-27 18:07:36 +0000
Commit:     Dima Panov <fluffy@FreeBSD.org>
CommitDate: 2023-04-27 22:58:04 +0000

    textproc/libxml2: update to 2.10.14 security release (+)

    - [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
    - [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
    - schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

    - SAX2: Ignore namespaces in HTML documents
    - io: Fix "buffer full" error with certain buffer sizes

    PR:             270906
    Security:       0bd7f07b-dc22-11ed-bf28-589cfc0f81b0

    Sponsored by:   Serenity Cybersecurity, LLC

    (cherry picked from commit acd6567eeccaba062051ae4571c3d20c355383ac)

 textproc/libxml2/Makefile | 23 +++++++++++------------
 textproc/libxml2/distinfo |  6 +++---
 2 files changed, 14 insertions(+), 15 deletions(-)