Created attachment 248311 [details] Patch for expat2 Fixes CVEs: CVE-2023-52425 and CVE-2023-52426 References: https://www.cve.org/CVERecord?id=CVE-2023-52425 https://www.cve.org/CVERecord?id=CVE-2023-52426 Compile and runtime tested on FreeBSD 14.0-RELEASE (amd64) (make, make check-plist, make test) Compile and runtime tested on FreeBSD 14.0-RELEASE (aarch64) (make, make check-plist, make test) Poudriere testport OK 14.0-RELEASE (amd64) Poudriere testport OK 13.2-RELEASE (amd64) Tested with following consumers in 14.0-RELEASE (amd64) using Poudriere: archivers/libarchive astro/gpsbabel14 astro/opencpn astro/osmium-tool astro/readosm astro/viking audio/audacity sysutils/procenv astro/libosmium audio/boca audio/calf-lv2 audio/drumgizmo audio/gogglesmm audio/jack audio/ladish audio/mumble audio/musicpd audio/vst3sdk benchmarks/flowgrind cad/PrusaSlicer cad/brlcad cad/camotics cad/freecad cad/lepton-eda cad/opencascade cad/openvsp comms/obexapp comms/trustedqsl converters/osm2pgrouting converters/osm2pgsql databases/spatialite-tools deskutils/fbreader deskutils/gnome-contacts deskutils/presage devel/anjuta devel/apr1 devel/avr-gdb devel/cbang devel/cmake-core devel/cmake-gui devel/dbus devel/dbus-c++ devel/dbus-glib devel/electron25 devel/electron26 devel/electron27 devel/electron28 devel/gdb devel/gdcm devel/git devel/ice devel/ice37 devel/kdesvn devel/libdatovka devel/libopkele devel/libpdel devel/log4c devel/log4cxx devel/p5-subversion devel/poco devel/ptlib devel/py-subversion devel/pysvn devel/rsvndump devel/ruby-subversion devel/sdbus-cpp devel/simgear devel/subversion devel/subversion-lts dns/getdns dns/unbound editors/libreoffice editors/openoffice-4 editors/openoffice-devel editors/vscode editors/xmlcopyeditor emulators/mame finance/beanie ftp/lftp games/augustus games/battletanks games/dreamchess games/easyrpg-player games/ezquake games/flightgear games/liblcf games/moonlight-embedded games/nimuh games/xpilot-ng-server graphics/art graphics/aseprite graphics/blender (fails, unrelated) graphics/cegui graphics/cloudcompare graphics/dcp2icc graphics/digikam graphics/exiv2 graphics/gdal graphics/gimp-app graphics/glosm graphics/graphviz graphics/libosmesa graphics/libwmf graphics/libwmf-nox11 graphics/mapserver graphics/mesa-devel graphics/mesa-dri graphics/mesa-gallium-va graphics/mesa-gallium-vdpau graphics/mesa-gallium-xa graphics/mesa-libs graphics/mirtk graphics/opencolorio graphics/opencolorio-tools graphics/openfx-arena graphics/py-opencolorio (fails, unrelated) graphics/qgis graphics/qgis-ltr graphics/rawtherapee graphics/vips graphics/vv graphics/wayland graphics/wdune graphics/wxsvg java/java-subversion lang/clover lang/smalltalk mail/claws-mail mail/libetpan math/R-cran-units math/vtk8 math/vtk9 misc/libcomps misc/libmetalink misc/libsolv misc/owrep multimedia/dvdauthor multimedia/kodi multimedia/kodi-addon-inputstream.adaptive multimedia/libxspf multimedia/mythtv multimedia/snapcast net/avahi-app net/c3270 net/grive2 net/libarms net/libnpupnp net/mad_fcl net/ntopng net/opensips31 net/rpki-client net/tcpflow net/ulxmlrpcpp net/xmlrpc-c net/xmlrpc-epi net/zebra-server net-im/biboumi net-im/ejabberd net-im/jabberd (fails, unrelated) net-im/libmesode net-im/libstrophe net-im/signal-desktop net-mgmt/netxms print/miktex science/InsightToolkit science/InsightToolkit501 science/R-cran-udunits2 science/afni science/dakota science/elmerfem science/geant4 science/gnudatalanguage science/libkml science/liggghts science/massxpert science/orthanc-dicomweb science/orthanc-webviewer science/paraview science/udunits science/vmd science/votca (fails, unrelated) science/zotero security/kdbxviewer security/ophcrack security/rats security/shibboleth-sp security/subversion-gnome-keyring sysutils/afflib sysutils/bulk_extractor sysutils/eclat sysutils/ftwin sysutils/fusefs-httpdirfs sysutils/fusefs-s3backer sysutils/ganglia-monitor-core sysutils/libdnf sysutils/polkit textproc/domc textproc/exempi textproc/fcitx5 textproc/freexl textproc/libxode textproc/luaexpat textproc/modlogan (fails, unrelated) textproc/ocaml-expat textproc/p5-XML-Parser textproc/p5-XML-SAX-ExpatXS textproc/refdb textproc/rnv textproc/sablotron textproc/scew textproc/scim-openvanilla textproc/sphinxsearch textproc/teckit textproc/wbxml2 textproc/xmlppm www/apache24 www/chromium www/cplanet www/htdigest www/httest www/iridium www/libapreq2 www/libdom www/libwww www/mod_dav_svn www/mod_security www/neon www/netsurf www/osrm-backend www/qt6-webengine www/ungoogled-chromium x11/x3270 x11/xforward x11-fonts/fontconfig x11-toolkits/wxgtk30 x11-toolkits/wxgtk32 x11-wm/echinus
gentle ping -- is there something that we can look at and help with to make this land faster?
Exp-run looks fine
Ship it
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=bc9951864fb597be6ff47c03b4338f9eb6b62caf commit bc9951864fb597be6ff47c03b4338f9eb6b62caf Author: Daniel Engberg <diizzy@FreeBSD.org> AuthorDate: 2024-02-18 15:03:41 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2024-02-18 16:16:12 +0000 textproc/expat2: Update to 2.6.0 Fixes CVE-2023-52425 and CVE-2023-52426 Changelog: https://github.com/libexpat/libexpat/blob/R_2_6_0/expat/Changes References: https://www.cve.org/CVERecord?id=CVE-2023-52425 https://www.cve.org/CVERecord?id=CVE-2023-52426 PR: 276946 Approved by: desktop (tcberner) Exp-run by: antoine textproc/expat2/Makefile | 19 ++++++++++--------- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 2 +- 3 files changed, 14 insertions(+), 13 deletions(-)