Created attachment 254927 [details] [PATCH] devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976 https://nvd.nist.gov/vuln/detail/CVE-2023-39976
Port without maintainer - do you want to become the maintainer?
I'll try to do it, and will be ready to transfer it to anyone who may do it better than me, would one ask me about it :)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1bdede316d9cf2b726ee433f32a64a6708a67b48 commit 1bdede316d9cf2b726ee433f32a64a6708a67b48 Author: Älven <alster@vinterdalen.se> AuthorDate: 2024-11-04 19:01:32 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-11-04 19:01:32 +0000 security/vuxml: Add record for devel/libqb < 2.0.8 CVE-2023-39976 log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered. https://nvd.nist.gov/vuln/detail/CVE-2023-39976 PR: 282536 security/vuxml/vuln/2024.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c08f528cd36c76d76f221e7af8d5918054978bdf commit c08f528cd36c76d76f221e7af8d5918054978bdf Author: Älven <alster@vinterdalen.se> AuthorDate: 2024-11-04 20:34:07 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-11-04 20:54:58 +0000 devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976, take maintainership log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered. https://nvd.nist.gov/vuln/detail/CVE-2023-39976 Changelogs: https://github.com/ClusterLabs/libqb/releases/tag/v2.0.7 https://github.com/ClusterLabs/libqb/releases/tag/v2.0.8 Improve port: remove GNU_CONFIGURE_MANPREFIX, update pkg-descr, fix warnings from portclippy. PR: 282536 MFH: 2024Q4 devel/libqb/Makefile | 24 ++++++++++++------------ devel/libqb/distinfo | 6 +++--- devel/libqb/files/patch-configure (gone) | 11 ----------- devel/libqb/pkg-descr | 10 +++++++--- devel/libqb/pkg-plist | 2 +- 5 files changed, 23 insertions(+), 30 deletions(-)
A commit in branch 2024Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3b5e2b275eb786a87844f5a4ce8487f47fb45737 commit 3b5e2b275eb786a87844f5a4ce8487f47fb45737 Author: Älven <alster@vinterdalen.se> AuthorDate: 2024-11-04 20:34:07 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2024-11-04 21:20:13 +0000 devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976, take maintainership log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered. https://nvd.nist.gov/vuln/detail/CVE-2023-39976 Changelogs: https://github.com/ClusterLabs/libqb/releases/tag/v2.0.7 https://github.com/ClusterLabs/libqb/releases/tag/v2.0.8 Improve port: remove GNU_CONFIGURE_MANPREFIX, update pkg-descr, fix warnings from portclippy. PR: 282536 MFH: 2024Q4 (cherry picked from commit c08f528cd36c76d76f221e7af8d5918054978bdf) devel/libqb/Makefile | 24 ++++++++++++------------ devel/libqb/distinfo | 6 +++--- devel/libqb/files/patch-configure (gone) | 11 ----------- devel/libqb/pkg-descr | 10 +++++++--- devel/libqb/pkg-plist | 2 +- 5 files changed, 23 insertions(+), 30 deletions(-)
Thanks.
Maybe I'm missing something here but grep shows no libxml2 code?
So I may safely remove it, yes? I'll try to test…
configure print: checking for libxml... yes
Configure seems to require it somehow: checking for libxml... no configure: error: Package requirements (libxml-2.0) were not met: Package 'libxml-2.0' not found Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables libxml_CFLAGS and libxml_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. ===> Script "configure" failed unexpectedly.
Having a quick look it seems like it's only referenced in doxygen2man/doxygen2man.c which as far as I can tell is never installed?
I tried it. For some reason it's is being built anyway, even with DOXYGEN=OFF. What may be good solution for this? At least I may replace USE=gnome + USE_GNOME=libxml2 with just BUILD_DEPENDS=libxml2>0:textproc/libxml2, if it will be better…
Created attachment 254958 [details] [PATCH] devel/libqb: Add EXAMPLES option, fix typo Add EXAMPLES option, fix typo.
Hugly hack the seems to work (just having a quick look), comment out https://github.com/ClusterLabs/libqb/blob/main/configure.ac#L171 and add USES= autoreconf
Created attachment 254959 [details] [PATCH] devel/libqb: Add EXAMPLES option, fix typo Add EXAMPLES option, fix typo.
(In reply to Daniel Engberg from comment #14) Thank you! It really helped :)
Created attachment 254960 [details] [PATCH] devel/libqb: Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man.
Created attachment 254961 [details] [PATCH] devel/libqb: Add support for activation of tests (still failing) Add support for activation of tests (still failing)