Bug 221989 - graphics/gdk-pixbuf2 is vulnerable
Summary: graphics/gdk-pixbuf2 is vulnerable
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-gnome (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-02 00:47 UTC by Alaksiej Čarniajeŭ
Modified: 2017-09-25 13:43 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (gnome)

Attachments
Proposed patch (since 449061 revision) (2.67 KB, patch)
2017-09-02 02:52 UTC, lightside 		no flags Details | Diff
Proposed patch (since 449061 revision) (3.48 KB, patch)
2017-09-02 14:39 UTC, lightside 		lightside: maintainer-approval? (gnome)
 Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alaksiej Čarniajeŭ 2017-09-02 00:47:36 UTC 
According to this http://blog.talosintelligence.com/2017/08/vuln-spotlight-multiple-gdk.html version 2.36.6 (currently available in ports) contains two remote code execution vulnerabilities.
Comment 1 lightside 2017-09-02 02:52:45 UTC 
Created attachment 185982 [details]
Proposed patch (since 449061 revision)

Hello Alaksiej Čarniajeŭ.
I also reported about this issue to maintainer and FreeBSD security team.

Attached some patch to update graphics/gdk-pixbuf2 port from 2.36.6 to 2.36.9 version.

Look following link for changes:
https://git.gnome.org/browse/gdk-pixbuf/tree/NEWS?h=2.36.9

- Pet portlint about USES
- Add shared-mime-info to USES [*]
- Replace files/patch-Makefile.in with sed patch
- Replace $LIBTIFF with $TIFF_LIBS variables in ${WRKSRC}/configure, which fixes libpixbufloader-tiff.so build
- Adapt pkg-plist

* - For some reason the build started to require shared-mime-info dependency: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=2c2162c86d4f710007cfffbc582a1f0ce8740725

The build was tested on FreeBSD 10.3 amd64.
Comment 2 lightside 2017-09-02 14:39:35 UTC 
Created attachment 185989 [details]
Proposed patch (since 449061 revision)

Returned PKGNAMESUFFIX, which I mistakenly removed.
Fixed portlint's warning about env.
Added following patch after 2.36.9 version:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=853c60427f7ebb6b9cdfd142923167af70f13536
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-09-02 22:15:32 UTC 
A commit references this bug:

Author: kwm
Date: Sat Sep  2 22:15:02 UTC 2017
New revision: 449164
URL: https://svnweb.freebsd.org/changeset/ports/449164

Log:
  Update gdk-pixbuf2 to 2.36.9.

  * Move USES before USE_*, according to porters handbook [1]
  * Add depend on shared-mime-info, due to configure checking for it now.
  * Work around a bug in configure where tiff support isn't correctly
    enabled, resulting in the tiff loader not being build.
  * Regen patch with make makepatch

  PR:		221989
  Submitted by:	lightside@gmx.com
  Reported by:	 Alaksiej Carniajeu <a@carniajeu.com>, portlint [1]
  MFH:		2017Q3
  Security:	CVE-2017-2870, CVE-2017-2862

Changes:
  head/graphics/gdk-pixbuf2/Makefile
  head/graphics/gdk-pixbuf2/distinfo
  head/graphics/gdk-pixbuf2/files/patch-Makefile.in
  head/graphics/gdk-pixbuf2/pkg-plist