205502 – graphics/librsvg2: update 2.40.10 -> 2.40.12

Bug 205502 - graphics/librsvg2: update 2.40.10 -> 2.40.12

Summary: graphics/librsvg2: update 2.40.10 -> 2.40.12

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-gnome (Nobody)

URL:	http://www.openwall.com/lists/oss-sec...
Keywords:	patch, patch-ready, security

Depends on:
Blocks:

Reported:	2015-12-22 01:24 UTC by Jason Unovitch
Modified:	2015-12-23 20:31 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	kwm: maintainer-feedback+ junovitch: merge-quarterly+

Attachments
graphics/librsvg2: update 2.40.10 -> 2.40.12 (1.11 KB, patch) 2015-12-22 01:24 UTC, Jason Unovitch	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jason Unovitch freebsd_committer

2015-12-22 01:24:14 UTC

Created attachment 164477 [details]
graphics/librsvg2: update 2.40.10 -> 2.40.12

http://www.openwall.com/lists/oss-security/2015/12/21/5

Comment 1 commit-hook freebsd_committer

2015-12-22 01:44:44 UTC

A commit references this bug:

Author: junovitch
Date: Tue Dec 22 01:43:45 UTC 2015
New revision: 404200
URL: https://svnweb.freebsd.org/changeset/ports/404200

Log:
  Document two librsvg2 vulnerabilities

  PR:		205502
  Security:	CVE-2015-7557
  Security:	CVE-2015-7558
  Security:	https://vuxml.FreeBSD.org/freebsd/da634091-a84a-11e5-8f5c-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/d6c51737-a84b-11e5-8f5c-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml

Comment 2 Jason Unovitch freebsd_committer

2015-12-22 01:48:48 UTC

The first entry was for fix committed upstream earlier this year.  Documented it now as Red Hat reported both at the same time.

[1] https://git.gnome.org/browse/librsvg/commit/rsvg-shapes.c?id=40af93e6eb1c94b90c3b9a0b87e0840e126bb8df

The later entry is for the application crash via a stack exhaustion issue addressed through rework in 2.40.12.  The attached patch is ready for review/commit and will only need to list the following in the commit message.

Security: CVE-2015-7558
Security: https://vuxml.FreeBSD.org/freebsd/d6c51737-a84b-11e5-8f5c-002590263bf5.html

Comment 3 Koop Mast freebsd_committer

2015-12-22 15:47:06 UTC

reset merge-quarterly flag, I can't approve that

Comment 4 commit-hook freebsd_committer

2015-12-23 01:14:18 UTC

A commit references this bug:

Author: junovitch
Date: Wed Dec 23 01:13:43 UTC 2015
New revision: 404275
URL: https://svnweb.freebsd.org/changeset/ports/404275

Log:
  graphics/librsvg2: update 2.40.10 -> 2.40.12

  PR:		205502
  Approved by:	gnome (kwm)
  Security:	CVE-2015-7558
  Security:	https://vuxml.FreeBSD.org/freebsd/d6c51737-a84b-11e5-8f5c-002590263bf5.html
  MFH:		2015Q4

Changes:
  head/graphics/librsvg2/Makefile
  head/graphics/librsvg2/distinfo
  head/graphics/librsvg2/pkg-plist

Comment 5 commit-hook freebsd_committer

2015-12-23 20:21:18 UTC

A commit references this bug:

Author: junovitch
Date: Wed Dec 23 20:20:56 UTC 2015
New revision: 404319
URL: https://svnweb.freebsd.org/changeset/ports/404319

Log:
  MFH: r404275

  graphics/librsvg2: update 2.40.10 -> 2.40.12

  PR:		205502
  Approved by:	gnome (kwm)
  Approved by:	ports-secteam (feld)
  Security:	CVE-2015-7558
  Security:	https://vuxml.FreeBSD.org/freebsd/d6c51737-a84b-11e5-8f5c-002590263bf5.html

Changes:
_U  branches/2015Q4/
  branches/2015Q4/graphics/librsvg2/Makefile
  branches/2015Q4/graphics/librsvg2/distinfo
  branches/2015Q4/graphics/librsvg2/pkg-plist

Comment 6 Jason Unovitch freebsd_committer

2015-12-23 20:31:51 UTC

(In reply to Koop Mast from comment #3)
merge-quarterly+ approved by ports-secteam (feld)

The update passed build QA on all releases as well as a before/after build test of the active dependencies listed at http://www.freshports.org/graphics/librsvg2/ on 9.3 amd64 Poudriere