From the bug report: There are several cross-site scripting vulnerabilities in LXR. These vulnerabilities could allow an attacker to execute scripts in a user's browser, steal cookies associated with vulnerable domains, redirect the user to malicious websites, etc. This PR is to request a port upgrade. A VuXML entry will be committed shortly and therefore the port will be marked vulnerable until this PR is solved. Fix: Two actions are required: 1) Please upgrade to port to version 0.9.8 (fixes CVE-2009-4497) 2) Apply the following patch: http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.63&r2=1.64 Thanks in advance! Niels How-To-Repeat: N/A
Responsible Changed From-To: freebsd-ports-bugs->niels Submitter has GNATS access (via the GNATS Auto Assign Tool)
Maintainer of devel/lxr, Please note that PR ports/146337 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/146337 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
niels 2010-05-05 19:12:37 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Added mediawiki and lxr vulnerabilities - Fixed vlc topic format (lower case, portname first) PR: ports/146337 Approved by: itetcu (mentor, implicit) Security: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html Security: http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com Revision Changes Path 1.2154 +69 -2 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Wed, May 05, 2010 at 06:50:15PM +0000, Edwin Groothuis wrote: > Please note that PR ports/146337 has just been submitted. Upgraded port to 0.9.8 and now it is being tested inside the local Tinderbox and at my own LXR instances. Will try to roll out the patch before tomorrow. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
Niels, good day. Thu, May 06, 2010 at 09:23:46PM +0200, Niels Heinen wrote: > Thats great news and thanks for the quick response ! No problems, but the news aren't good as expected: 0.9.8 is terribly messed up and nearly unusable. So, I bumped the port to 0.9.6_1 applying two security patches for the Common.pm. The patch is at http://codelabs.ru/fbsd/ports/lxr/0.9.6-fix-CVE-2009-4497.diff VUXML entry needs no fixing, because the version specification is '<= 0.9.6', so 0.9.6_1 will be already fine. I am working on the upgrade to 0.9.8, but this will take up some time: looks like people from LXR are not testing their code at all, because it is broken all over the place. Thanks! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
Thanks. The patch looks ok. I only added the remove of the new .orig files which were (and should) not be in pkg-plist. Shall I commit this one then? http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log http://people.freebsd.org/~niels/ports/diffs/lxr-0.9.6_1.diff Niels On 05/07/10 08:15, Eygene Ryabinkin wrote: > Niels, good day. > > Thu, May 06, 2010 at 09:23:46PM +0200, Niels Heinen wrote: >> Thats great news and thanks for the quick response ! > > No problems, but the news aren't good as expected: 0.9.8 is terribly > messed up and nearly unusable. So, I bumped the port to 0.9.6_1 > applying two security patches for the Common.pm. The patch is at > http://codelabs.ru/fbsd/ports/lxr/0.9.6-fix-CVE-2009-4497.diff > VUXML entry needs no fixing, because the version specification is > '<= 0.9.6', so 0.9.6_1 will be already fine. > > I am working on the upgrade to 0.9.8, but this will take up some > time: looks like people from LXR are not testing their code at all, > because it is broken all over the place. > > Thanks! -- Niels Heinen FreeBSD committer | www.freebsd.org PGP: 0x5FE39B80
Niels, Fri, May 07, 2010 at 12:26:01PM +0200, Niels Heinen wrote: > Thanks. The patch looks ok. I only added the remove of the new .orig > files which were (and should) not be in pkg-plist. > > Shall I commit this one then? > > http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log > http://people.freebsd.org/~niels/ports/diffs/lxr-0.9.6_1.diff The removal of the .orig files is good, but it is redundant in the current version of the Makefile: it has the following lines for the install target ("do-install"): {{{ ${TAR} -C ${WRKSRC}/lib -cf - --exclude *.orig LXR | ${TAR} -C ${PREFIX}/${SITE_PERL_REL} -xf - ${TAR} -C ${WRKSRC} -cf - --exclude *.orig templates | ${TAR} -C ${LXRDIR} -xf - }}} So, .orig files will only live inside WRKSRC, they won't be installed and so, they (obviously) aren't specified in the pkg-plist. But may be I am missing something? -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
Its not duplicate because the current makefile removes the .orig from the distfile during extraction. My change cleans up the .origs that are created by 'patch' (when applying the patchfiles) so that these aren't installed. I have to give credits to tinderbox ;) Sent from my mobile Op 7 mei 2010 om 16:44 heeft Eygene Ryabinkin <rea-fbsd@codelabs.ru> het volgende geschreven:\ > Niels, > > Fri, May 07, 2010 at 12:26:01PM +0200, Niels Heinen wrote: >> Thanks. The patch looks ok. I only added the remove of the new .orig >> files which were (and should) not be in pkg-plist. >> >> Shall I commit this one then? >> >> http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log >> http://people.freebsd.org/~niels/ports/diffs/lxr-0.9.6_1.diff > > The removal of the .orig files is good, but it is redundant in the > current version of the Makefile: it has the following lines for the > install target ("do-install"): > {{{ > ${TAR} -C ${WRKSRC}/lib -cf - --exclude *.orig LXR | ${TAR} -C $ > {PREFIX}/${SITE_PERL_REL} -xf - > ${TAR} -C ${WRKSRC} -cf - --exclude *.orig templates | ${TAR} -C $ > {LXRDIR} -xf - > }}} > So, .orig files will only live inside WRKSRC, they won't be installed > and so, they (obviously) aren't specified in the pkg-plist. > > But may be I am missing something? > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the > kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ #
Niels, Fri, May 07, 2010 at 05:44:04PM +0200, Niels Heinen wrote: > Its not duplicate because the current makefile removes the .orig from > the distfile during extraction. My change cleans up the .origs that > are created by 'patch' (when applying the patchfiles) so that these > aren't installed. Please, note that the 'install' phase is completely done by the port's Makefile (not the LXR Makefile), so you can't refer to the LXR's makefiles -- they are just not used. > I have to give credits to tinderbox ;) Please, look at your tinderbox's logs at http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log section 'phase 6: make install' and you'll see what I am talking about. May be you meant that you had some errors with my patch? If yes, can you show the logs or anything? Thanks. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
> > May be you meant that you had some errors with my patch? If yes, > can you show the logs or anything? > Hi Eygene, I've rebuild the package without my modifications and now the .orig files are not removed. Please reload the log file to see the error: http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log Can you please check this ? Niels
Niels, good day. Fri, May 07, 2010 at 07:53:52PM +0200, Niels Heinen wrote: > I've rebuild the package without my modifications and now the .orig > files are not removed. Please reload the log file to see the error: > > http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log > > Can you please check this ? My Tinderbox shows no such error, but I have one idea what can go wrong: shell metacharacters could be substituted. Please, try this additional patch at your Tindy: http://codelabs.ru/fbsd/ports/lxr/0.9.6-use-wildcard-quoting.diff Thanks for you patience! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
Yes that works.. pffheeww ;-))) Shall I commit ? Thanks! Niels On 05/09/10 17:53, Eygene Ryabinkin wrote: > Niels, good day. > > Fri, May 07, 2010 at 07:53:52PM +0200, Niels Heinen wrote: >> I've rebuild the package without my modifications and now the .orig >> files are not removed. Please reload the log file to see the error: >> >> http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log >> >> Can you please check this ? > > My Tinderbox shows no such error, but I have one idea > what can go wrong: shell metacharacters could be substituted. > Please, try this additional patch at your Tindy: > http://codelabs.ru/fbsd/ports/lxr/0.9.6-use-wildcard-quoting.diff > > Thanks for you patience! -- Niels Heinen FreeBSD committer | www.freebsd.org PGP: 0x5FE39B80
Tue, May 11, 2010 at 08:07:57PM +0200, Niels Heinen wrote: > Yes that works.. pffheeww ;-))) Cool, thanks for the testing! > Shall I commit ? Sure! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
niels 2010-05-12 09:13:54 UTC FreeBSD ports repository Modified files: devel/lxr Makefile Added files: devel/lxr/files patch-CVE-2009-4497 patch-fix-clean_identifier Removed files: devel/lxr/files fix-perl-warnings.patch Log: Added security patch for XSS vulnerability (CVE-2009-4497) PR: ports/146337 Submitted by: Eygene Ryabinkin (maintainer) Approved by: itetcu (mentor, implicit) Security: http://www.vuxml.org/freebsd/0491d15a-5875-11df-8d80-0015587e2cc1.html Revision Changes Path 1.3 +4 -4 ports/devel/lxr/Makefile 1.2 +0 -127 ports/devel/lxr/files/fix-perl-warnings.patch (dead) 1.1 +14 -0 ports/devel/lxr/files/patch-CVE-2009-4497 (new) 1.1 +20 -0 ports/devel/lxr/files/patch-fix-clean_identifier (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed and fixed