Created attachment 186756 [details] Update to 1.3.0 The current version avilable for FreeBSD is vulnerable since 02.09.2017 and has already been patched upstream. See here: https://nih.at/libzip/NEWS.html Vulnerabilities: >> CVE-2017-12858: Fix double free(). >> CVE-2017-14107: Improve EOCD64 parsing. Patch to update is attached. Thanks for a fast fix. Update to 1.3.0. Release notes: http://www.nih.at/libzip/NEWS.html - Update & Fix broken patch - Update & Fix pkg-plist - Fixes CVE-2017-12858 & CVE-2017-14107
Poudriere output: =========================================================================== ====> Running Q/A tests (stage-qa) ====> Checking for pkg-plist issues (check-plist) ===> Parsing plist ===> Checking for items in STAGEDIR missing from pkg-plist ===> Checking for items in pkg-plist which are not in STAGEDIR ===> No pkg-plist issues found (check-plist) ====>> Checking for staging violations... done =======================<phase: package >============================ ===> Building package for libzip-1.3.0 =========================================================================== =======================<phase: install-mtree >============================ =========================================================================== ====>> Recording filesystem state for preinst... done =======================<phase: install >============================ ===> Installing for libzip-1.3.0 ===> Checking if libzip already installed ===> Registering installation for libzip-1.3.0 [fb103] Installing libzip-1.3.0... =========================================================================== ====>> Checking shared library dependencies 0x0000000000000001 (NEEDED) Shared library: [libbz2.so.4] 0x0000000000000001 (NEEDED) Shared library: [libc.so.7] 0x0000000000000001 (NEEDED) Shared library: [libz.so.6] 0x0000000000000001 (NEEDED) Shared library: [libzip.so.5] =======================<phase: deinstall >============================ ===> Deinstalling for libzip ===> Deinstalling libzip-1.3.0 Updating database digests format: ... done Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 1 packages (of 0 packages in the universe): Installed packages to be REMOVED: libzip-1.3.0 Number of packages to be removed: 1 [fb103] [1/1] Deinstalling libzip-1.3.0... [fb103] [1/1] Deleting files for libzip-1.3.0: .......... done =========================================================================== ====>> Checking for extra files and directories =======================<phase: Interactive >============================ [00:00:29] ====>> Installing packages [00:00:29] ====>> Installing run-depends for archivers/libzip [00:00:29] ====>> Installing archivers/libzip [fb103] Installing libzip-1.3.0... [fb103] Extracting libzip-1.3.0: 100% [00:00:29] ====>> Installing local Pkg repository to /usr/local/etc/pkg/repos [00:00:29] ====>> Entering interactive test mode. Type 'exit' when done.
Thanks for the heads-up, I'll be able to take a look at this later today. This update also bumps libzip's SOVERSION from .4 to .5, which means all consumers need to be tested and have their PORTREVISIONs bumped. When this happens, I prefer to land the CVE fixes separately (so that it's also easier to backport them to our quarterly branch) and only then update the port to a new version.
According to https://security-tracker.debian.org/tracker/CVE-2017-12858, libzip 1.1.3 is not vulnerable. I can indeed verify there's no Winzip-related code in this version. CVE-2017-14107 does affect us though, despite the fact that https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/ says the bug was introduced in 1.2.0.
A commit references this bug: Author: rakuco Date: Wed Sep 27 16:50:21 UTC 2017 New revision: 450767 URL: https://svnweb.freebsd.org/changeset/ports/450767 Log: Fix version range for libzip's CVE-2017-14107 (r450692). I am going to land a fix for libzip 1.1.3 (the version currently in the ports tree) instead of updating the port to 1.3.0. 1.3.0 has a different SOVERSION number, which also requires updating dependent ports and makes MFH'ing the fix more difficult. PR: 222638 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: rakuco Date: Wed Sep 27 16:52:20 UTC 2017 New revision: 450768 URL: https://svnweb.freebsd.org/changeset/ports/450768 Log: Add a patch for CVE-2017-14107. This is a minor security vulnerability that can lead to a denial of service issue in libzip when a specially crafted archive is used. PR: 222638 Security: b2952517-07e5-4d19-8850-21c5b7e0623f Security: CVE-2017-14107 Changes: head/archivers/libzip/Makefile head/archivers/libzip/files/patch-CVE-2017-14107
A commit references this bug: Author: rakuco Date: Wed Sep 27 16:53:51 UTC 2017 New revision: 450769 URL: https://svnweb.freebsd.org/changeset/ports/450769 Log: MFH: r450768 Add a patch for CVE-2017-14107. This is a minor security vulnerability that can lead to a denial of service issue in libzip when a specially crafted archive is used. PR: 222638 Security: b2952517-07e5-4d19-8850-21c5b7e0623f Security: CVE-2017-14107 Approved by: ports-secteam (blanket approval) Changes: _U branches/2017Q3/ branches/2017Q3/archivers/libzip/Makefile branches/2017Q3/archivers/libzip/files/patch-CVE-2017-14107
A commit references this bug: Author: rakuco Date: Wed Sep 27 18:06:06 UTC 2017 New revision: 450774 URL: https://svnweb.freebsd.org/changeset/ports/450774 Log: Update libzip to 1.3.0. It includes the fix for CVE-2017-14107 (landed separately in r450768) as well as a fix for CVE-2017-12858, which did not affect us due to the fact that the vulnerability was introduced in 1.2.0. libzip.so's SOVERSION got bumped after the removal of the undocumented function zip_archive_set_tempdir(). All ports depending on libzip continue to build fine after that. PR: 222638 Submitted by: Dani <i.dani@outlook.com> Changes: head/archivers/libzip/Makefile head/archivers/libzip/distinfo head/archivers/libzip/files/patch-CVE-2017-14107 head/archivers/libzip/files/patch-lib__Makefile.in head/archivers/libzip/pkg-plist
A commit references this bug: Author: rakuco Date: Wed Sep 27 18:08:16 UTC 2017 New revision: 450775 URL: https://svnweb.freebsd.org/changeset/ports/450775 Log: Bump PORTREVISION in ports depending on archivers/libzip. libzip was updated to 1.3.0 in r450774, and its SOVERSION went from .4 to .5 after the removal of zip_archive_set_tempdir(). All dependent ports continue to build fine without that symbol. PR: 222638 Changes: head/archivers/php56-zip/Makefile head/archivers/php70-zip/Makefile head/archivers/php71-zip/Makefile head/audio/deadbeef/Makefile head/cad/repsnapper/Makefile head/comms/libconcord/Makefile head/deskutils/kchmviewer/Makefile head/devel/libsigrok/Makefile head/emulators/ppsspp/Makefile head/emulators/ppsspp-qt5/Makefile head/games/freedink-engine/Makefile head/games/naev/Makefile head/games/openrct2/Makefile head/graphics/pstoedit/Makefile head/math/sc-im/Makefile head/sysutils/fusefs-zip/Makefile head/textproc/ebook-tools/Makefile head/x11-fm/librfm/Makefile
Alright, everything's been taken care of now. Thanks for the patch!
(In reply to Raphael Kubo da Costa from comment #9) Thank you for taking care of this so fast! :-)