Bug 282536 - devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976
Summary: devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Vladimir Druzenko
URL: https://github.com/ClusterLabs/libqb/...
Keywords: security
Depends on:
Blocks:
 
Reported: 2024-11-04 12:48 UTC by Älven
Modified: 2024-11-05 10:33 UTC (History)
3 users (show)

See Also:
vvd: merge-quarterly+


Attachments
[PATCH] devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976 (5.55 KB, patch)
2024-11-04 12:48 UTC, Älven
no flags Details | Diff
[PATCH] devel/libqb: Add EXAMPLES option, fix typo (2.17 KB, patch)
2024-11-05 00:23 UTC, Älven
alster: maintainer-approval+
Details | Diff
[PATCH] devel/libqb: Add EXAMPLES option, fix typo (2.19 KB, patch)
2024-11-05 00:27 UTC, Älven
alster: maintainer-approval+
Details | Diff
[PATCH] devel/libqb: Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man (1.96 KB, patch)
2024-11-05 00:57 UTC, Älven
alster: maintainer-approval+
Details | Diff
[PATCH] devel/libqb: Add support for activation of tests (still failing) (1.04 KB, patch)
2024-11-05 01:16 UTC, Älven
alster: maintainer-approval+
Details | Diff
[PATCH] devel/libqb: Improve the port (3.76 KB, patch)
2024-11-05 09:32 UTC, Älven
alster: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Älven 2024-11-04 12:48:17 UTC
Created attachment 254927 [details]
[PATCH] devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976

https://nvd.nist.gov/vuln/detail/CVE-2023-39976
Comment 1 Vladimir Druzenko freebsd_committer freebsd_triage 2024-11-04 12:56:54 UTC
Port without maintainer - do you want to become the maintainer?
Comment 2 Älven 2024-11-04 14:29:44 UTC
I'll try to do it, and will be ready to transfer it to anyone who may do it better than me, would one ask me about it :)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-11-04 19:04:16 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1bdede316d9cf2b726ee433f32a64a6708a67b48

commit 1bdede316d9cf2b726ee433f32a64a6708a67b48
Author:     Älven <alster@vinterdalen.se>
AuthorDate: 2024-11-04 19:01:32 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-11-04 19:01:32 +0000

    security/vuxml: Add record for devel/libqb < 2.0.8 CVE-2023-39976

    log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long
    log messages because the header size is not considered.
    https://nvd.nist.gov/vuln/detail/CVE-2023-39976

    PR:     282536

 security/vuxml/vuln/2024.xml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
Comment 4 commit-hook freebsd_committer freebsd_triage 2024-11-04 21:00:36 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c08f528cd36c76d76f221e7af8d5918054978bdf

commit c08f528cd36c76d76f221e7af8d5918054978bdf
Author:     Älven <alster@vinterdalen.se>
AuthorDate: 2024-11-04 20:34:07 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-11-04 20:54:58 +0000

    devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976, take maintainership

    log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long
    log messages because the header size is not considered.
    https://nvd.nist.gov/vuln/detail/CVE-2023-39976

    Changelogs:
    https://github.com/ClusterLabs/libqb/releases/tag/v2.0.7
    https://github.com/ClusterLabs/libqb/releases/tag/v2.0.8

    Improve port: remove GNU_CONFIGURE_MANPREFIX, update pkg-descr, fix
    warnings from portclippy.

    PR:     282536
    MFH:    2024Q4

 devel/libqb/Makefile                     | 24 ++++++++++++------------
 devel/libqb/distinfo                     |  6 +++---
 devel/libqb/files/patch-configure (gone) | 11 -----------
 devel/libqb/pkg-descr                    | 10 +++++++---
 devel/libqb/pkg-plist                    |  2 +-
 5 files changed, 23 insertions(+), 30 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2024-11-04 21:21:39 UTC
A commit in branch 2024Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3b5e2b275eb786a87844f5a4ce8487f47fb45737

commit 3b5e2b275eb786a87844f5a4ce8487f47fb45737
Author:     Älven <alster@vinterdalen.se>
AuthorDate: 2024-11-04 20:34:07 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-11-04 21:20:13 +0000

    devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976, take maintainership

    log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long
    log messages because the header size is not considered.
    https://nvd.nist.gov/vuln/detail/CVE-2023-39976

    Changelogs:
    https://github.com/ClusterLabs/libqb/releases/tag/v2.0.7
    https://github.com/ClusterLabs/libqb/releases/tag/v2.0.8

    Improve port: remove GNU_CONFIGURE_MANPREFIX, update pkg-descr, fix
    warnings from portclippy.

    PR:     282536
    MFH:    2024Q4
    (cherry picked from commit c08f528cd36c76d76f221e7af8d5918054978bdf)

 devel/libqb/Makefile                     | 24 ++++++++++++------------
 devel/libqb/distinfo                     |  6 +++---
 devel/libqb/files/patch-configure (gone) | 11 -----------
 devel/libqb/pkg-descr                    | 10 +++++++---
 devel/libqb/pkg-plist                    |  2 +-
 5 files changed, 23 insertions(+), 30 deletions(-)
Comment 6 Vladimir Druzenko freebsd_committer freebsd_triage 2024-11-04 21:26:03 UTC
Thanks.
Comment 7 Daniel Engberg freebsd_committer freebsd_triage 2024-11-04 22:47:38 UTC
Maybe I'm missing something here but grep shows no libxml2 code?
Comment 8 Älven 2024-11-04 23:16:48 UTC
So I may safely remove it, yes? I'll try to test…
Comment 9 Vladimir Druzenko freebsd_committer freebsd_triage 2024-11-04 23:37:22 UTC
configure print:
checking for libxml... yes
Comment 10 Älven 2024-11-04 23:38:10 UTC
Configure seems to require it somehow:

checking for libxml... no
configure: error: Package requirements (libxml-2.0) were not met:

Package 'libxml-2.0' not found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables libxml_CFLAGS
and libxml_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
===>  Script "configure" failed unexpectedly.
Comment 11 Daniel Engberg freebsd_committer freebsd_triage 2024-11-04 23:42:46 UTC
Having a quick look it seems like it's only referenced in doxygen2man/doxygen2man.c which as far as I can tell is never installed?
Comment 12 Älven 2024-11-05 00:08:11 UTC
I tried it. For some reason it's is being built anyway, even with DOXYGEN=OFF.
What may be good solution for this?
At least I may replace USE=gnome + USE_GNOME=libxml2 with just BUILD_DEPENDS=libxml2>0:textproc/libxml2, if it will be better…
Comment 13 Älven 2024-11-05 00:23:47 UTC
Created attachment 254958 [details]
[PATCH] devel/libqb: Add EXAMPLES option, fix typo

Add EXAMPLES option, fix typo.
Comment 14 Daniel Engberg freebsd_committer freebsd_triage 2024-11-05 00:25:28 UTC
Hugly hack the seems to work (just having a quick look), comment out
https://github.com/ClusterLabs/libqb/blob/main/configure.ac#L171 and add USES= autoreconf
Comment 15 Älven 2024-11-05 00:27:38 UTC
Created attachment 254959 [details]
[PATCH] devel/libqb: Add EXAMPLES option, fix typo

Add EXAMPLES option, fix typo.
Comment 16 Älven 2024-11-05 00:55:41 UTC
(In reply to Daniel Engberg from comment #14)
Thank you! It really helped :)
Comment 17 Älven 2024-11-05 00:57:01 UTC
Created attachment 254960 [details]
[PATCH] devel/libqb: Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man

Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man.
Comment 18 Älven 2024-11-05 01:16:32 UTC
Created attachment 254961 [details]
[PATCH] devel/libqb: Add support for activation of tests (still failing)

Add support for activation of tests (still failing)
Comment 19 Vladimir Druzenko freebsd_committer freebsd_triage 2024-11-05 09:19:51 UTC
(In reply to Älven from comment #18)
Can you create single patch against current version in ports?
Comment 20 Älven 2024-11-05 09:24:44 UTC
(In reply to Vladimir Druzenko from comment #19)
> Can you create single patch against current version in ports?
Yes, of course. I'll do it now.
Comment 21 Älven 2024-11-05 09:32:03 UTC
Created attachment 254967 [details]
[PATCH] devel/libqb: Improve the port

* Add EXAMPLES option                                                                                                                  
* Add support for activation of tests (still failing)                                                                                  
* Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man                                                                             
* Fix a typo
Comment 22 commit-hook freebsd_committer freebsd_triage 2024-11-05 10:31:26 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7945736569ee6db4563ff713a70a5876d9c5d836

commit 7945736569ee6db4563ff713a70a5876d9c5d836
Author:     Älven <alster@vinterdalen.se>
AuthorDate: 2024-11-05 10:26:37 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-11-05 10:27:32 +0000

    devel/libqb: Improve the port

    * Add EXAMPLES option
    * Add support for activation of tests (still failing)
    * Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man
    * Fix a typo

    PR:     282536
    MFH:    2024Q4

 devel/libqb/Makefile                                 | 20 +++++++++++++++-----
 .../files/extra-DOXYGEN_OFF-patch-configure.ac (new) | 11 +++++++++++
 devel/libqb/pkg-plist                                |  8 ++++++++
 3 files changed, 34 insertions(+), 5 deletions(-)
Comment 23 commit-hook freebsd_committer freebsd_triage 2024-11-05 10:32:28 UTC
A commit in branch 2024Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1747341973d7b0af28b606884ae28d1849626230

commit 1747341973d7b0af28b606884ae28d1849626230
Author:     Älven <alster@vinterdalen.se>
AuthorDate: 2024-11-05 10:26:37 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-11-05 10:31:48 +0000

    devel/libqb: Improve the port

    * Add EXAMPLES option
    * Add support for activation of tests (still failing)
    * Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man
    * Fix a typo

    PR:     282536
    MFH:    2024Q4
    (cherry picked from commit 7945736569ee6db4563ff713a70a5876d9c5d836)

 devel/libqb/Makefile                                 | 20 +++++++++++++++-----
 .../files/extra-DOXYGEN_OFF-patch-configure.ac (new) | 11 +++++++++++
 devel/libqb/pkg-plist                                |  8 ++++++++
 3 files changed, 34 insertions(+), 5 deletions(-)
Comment 24 Vladimir Druzenko freebsd_committer freebsd_triage 2024-11-05 10:33:41 UTC
(In reply to Älven from comment #21)
Thanks.