Created attachment 235142 [details] multimedia/py-mat2: update to 0.13.0 This update fixes CVE-2022-35410, an arbitrary file read; please MFH. Tested with Poudriere on armv7 i386 amd64 FreeBSD 13. Changelog: https://0xacab.org/jvoisin/mat2/-/blob/master/CHANGELOG.md
Hello Robert, patch looks ok, but given it addresses a CVE, we will also need to document it. Could you also cook up a patch to add the advisory to vuln-2022.xml? Its located in security/vuxml/, you can find more information about this also in the porters handbook.
https://docs.freebsd.org/en/books/porters-handbook/security/
(In reply to Dries Michiels from comment #1) I'm aware of these, they just really suck to write. So I prefer not to do it. But if you insist, I can go ahead and send you an entry. I will not send a patch as these tend to have merge conflicts (the vulnxml database is exceptionally poorly designed in that all ports fight to append their entries to the same file) but rather post the entry as a comment here.
Also did you note that due to this shitty database it is actually significantly more complicated and tedious to fix a critical security issue over just committing a regular port update? Kind of a perverse incentive.
You may add this dreadful thing to the database: <vuln vid="830855f3-ffcc-11ec-9d41-d05099c8b5a7"> <topic>mat2 -- directory traversal/arbitrary file read during ZIP file processing</topic> <affects> <package> <name>mat2</name> <range><lt>0.13.0</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35410"> <p> mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive. </p> </blockquote> </body> </description> <references> <cvename>CVE-2022-35410</cvename> <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35410</url> </references> <dates> <discovery>2022-07-08</discovery> <entry>2022-07-09</entry> </dates> </vuln>
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e595d3283beb6574371d8bcc07ae98df97f62f08 commit e595d3283beb6574371d8bcc07ae98df97f62f08 Author: Robert Clausecker <fuz@fuz.su> AuthorDate: 2022-07-10 08:30:25 +0000 Commit: Dries Michiels <driesm@FreeBSD.org> CommitDate: 2022-07-10 09:06:24 +0000 multimedia/py-mat2: update to 0.13.0 Changes: https://0xacab.org/jvoisin/mat2/-/blob/master/CHANGELOG.md PR: 265104 MFH: 2022Q3 Security: CVE-2022-35410 multimedia/py-mat2/Makefile | 3 +-- multimedia/py-mat2/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-)
A commit in branch 2022Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=864a0c974c370492f4b420605de1abbe937724a3 commit 864a0c974c370492f4b420605de1abbe937724a3 Author: Robert Clausecker <fuz@fuz.su> AuthorDate: 2022-07-10 08:30:25 +0000 Commit: Dries Michiels <driesm@FreeBSD.org> CommitDate: 2022-07-10 09:08:42 +0000 multimedia/py-mat2: update to 0.13.0 Changes: https://0xacab.org/jvoisin/mat2/-/blob/master/CHANGELOG.md PR: 265104 MFH: 2022Q3 Security: CVE-2022-35410 (cherry picked from commit e595d3283beb6574371d8bcc07ae98df97f62f08) multimedia/py-mat2/Makefile | 2 +- multimedia/py-mat2/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=d4a2fd3ffbcf207bd29c4a96518f3c89dd2b410f commit d4a2fd3ffbcf207bd29c4a96518f3c89dd2b410f Author: Robert Clausecker <fuz@fuz.su> AuthorDate: 2022-07-10 09:15:04 +0000 Commit: Dries Michiels <driesm@FreeBSD.org> CommitDate: 2022-07-10 09:19:26 +0000 security/vuxml: document multimedia/py-mat2 CVE-2022-35410 PR: 265104 security/vuxml/vuln-2022.xml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
Thanks a lot for the entry and patches! Everything committed!
(In reply to Dries Michiels from comment #9) Does the VuXML entry also have to be entered into the quarterly branch?
No, the info pkg uses to audit packages is located here: http://vuxml.freebsd.org/freebsd/ Its based on the vuxml file in the main branch of the ports tree.