Bug 225611 - www/w3m Multiple vulnerabilities affecting w3m
Summary: www/w3m Multiple vulnerabilities affecting w3m
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: MANTANI Nobutaka
URL:
Keywords: needs-qa, patch, security
Depends on:
Blocks:
 
Reported: 2018-02-01 20:03 UTC by Daniel Ebdrup Jensen
Modified: 2018-02-04 13:35 UTC (History)
3 users (show)

See Also:
nobutaka: maintainer-feedback+
nobutaka: merge-quarterly+

Attachments
update patch (861 bytes, patch)
2018-02-01 21:47 UTC, Steve Wills 		no flags Details | Diff
vuxml entry (1.17 KB, text/plain)
2018-02-02 18:10 UTC, Daniel Ebdrup Jensen 		no flags Details
Corrected vuxml entry (obsoleted) (1.23 KB, text/plain)
2018-02-02 18:38 UTC, Daniel Ebdrup Jensen 		no flags Details
Final vuxml entry (1.26 KB, text/plain)
2018-02-02 19:18 UTC, Daniel Ebdrup Jensen 		no flags Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ebdrup Jensen freebsd_committer freebsd_triage 2018-02-01 20:03:40 UTC 
Several vulnerabilities have been fixed in the latest version of the w3m on the github page that this port is now tracking, however the port doesn't yet appear to be updated yet.

Here's a link to the changelog: https://github.com/tats/w3m/blob/master/ChangeLog
Comment 1 Steve Wills freebsd_committer freebsd_triage 2018-02-01 21:47:22 UTC 
Created attachment 190254 [details]
update patch

See attached
Comment 2 Daniel Ebdrup Jensen freebsd_committer freebsd_triage 2018-02-02 18:10:48 UTC 
Created attachment 190272 [details]
vuxml entry

An attempt at a vuxml entry, passes 'make validate' and has been checked with pkg audit -f /usr/ports/security/vuxml/vuxml.xml against w3m-0.5.3.20170102_1
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-02-02 18:20:41 UTC 
A commit references this bug:

Author: brd
Date: Fri Feb  2 18:20:05 UTC 2018
New revision: 460722
URL: https://svnweb.freebsd.org/changeset/ports/460722

Log:
  Document vulns in www/w3m.

  PR:		225611
  Submitted by:	D. Ebdrup <debdrup@gmail.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 4 Brad Davis freebsd_committer freebsd_triage 2018-02-02 18:21:17 UTC 
Comment on attachment 190272 [details]
vuxml entry

Committed, thanks!
Comment 5 Daniel Ebdrup Jensen freebsd_committer freebsd_triage 2018-02-02 18:38:45 UTC 
Created attachment 190273 [details]
Corrected vuxml entry (obsoleted)

Vladimir Krstulja helpfully pointed out that I'd missed some variants and hadn't correctly identified the CVEs in the cvename section.

Next time I'll be sure to file an entry for security/vuxml too, instead of under www/w3m.
Comment 6 VK 2018-02-02 18:52:59 UTC 
Comment on attachment 190273 [details]
Corrected vuxml entry (obsoleted)

Oops, not an actual diff. My bad.
Comment 7 Daniel Ebdrup Jensen freebsd_committer freebsd_triage 2018-02-02 19:18:09 UTC 
Created attachment 190275 [details]
Final vuxml entry

This vuxml entry removes emacs-w3m and adds ja-w3m and ja-w3m-img.
Previous vuxmlentry-corrected.txt should be obsoleted.
Comment 8 commit-hook freebsd_committer freebsd_triage 2018-02-03 13:22:29 UTC 
A commit references this bug:

Author: nobutaka
Date: Sat Feb  3 13:21:38 UTC 2018
New revision: 460810
URL: https://svnweb.freebsd.org/changeset/ports/460810

Log:
  - Update to 0.5.3.20180125.
  - This version fixes multiple vulnerabilities.

  PR:             225611
  Submitted by:   D. Ebdrup <debdrup@gmail.com>
  MFH:            2018Q1
  Security:       e72d5bf5-07a0-11e8-8248-0021ccb9e74d

Changes:
  head/www/w3m/Makefile
  head/www/w3m/distinfo
Comment 9 commit-hook freebsd_committer freebsd_triage 2018-02-03 13:35:42 UTC 
A commit references this bug:

Author: nobutaka
Date: Sat Feb  3 13:35:04 UTC 2018
New revision: 460811
URL: https://svnweb.freebsd.org/changeset/ports/460811

Log:
  Update entry of w3m vulnerabilities.

  PR:		225611
  Submitted by:	D. Ebdrup <debdrup@gmail.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 10 commit-hook freebsd_committer freebsd_triage 2018-02-04 13:32:16 UTC 
A commit references this bug:

Author: nobutaka
Date: Sun Feb  4 13:32:07 UTC 2018
New revision: 460930
URL: https://svnweb.freebsd.org/changeset/ports/460930

Log:
  MFH: r460810

  - Update to 0.5.3.20180125.
  - This version fixes multiple vulnerabilities.

  PR:             225611
  Submitted by:   D. Ebdrup <debdrup@gmail.com>
  Security:       e72d5bf5-07a0-11e8-8248-0021ccb9e74d

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/www/w3m/Makefile
  branches/2018Q1/www/w3m/distinfo
Comment 11 MANTANI Nobutaka freebsd_committer freebsd_triage 2018-02-04 13:35:59 UTC 
Update done. Thank you for the patches!