Bug 199162

Summary:

[MAINTAINER] devel/dulwich: Update to 0.10.1a (Security Update)

Product:

Ports & Packages

Reporter:

Marco Bröder <marco.broeder>

Component:

Individual Port(s)

Assignee:

Jan Beich <jbeich>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

portmgr, python

Priority:

---

Keywords:

easy, needs-qa, patch, security

Version:

Latest

Flags:

marco.broeder: maintainer-feedback+
koobs: merge-quarterly+

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Security update dulwich-0.10.1a.patch	marco.broeder: maintainer-approval+
vuxml database patch	none
py27-dulwich-0.10a.log	none

Description Marco Bröder 2015-04-04 16:16:10 UTC

Created attachment 155186 [details]
Security update dulwich-0.10.1a.patch

- Security update to 0.10.1a release
(Request MFH to quarterly branch, freebsd-portmgr@FreeBSD.org CC'ed)

Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9706

- Update patches

Note: Hg-Git extension works with Mercurial up to 3.3.2, but does not on version
3.3.3. A fix is being developed upstream and coming soon.


Tests on head, stable/10, releng/9.3 - amd64:
- portlint
- poudriere testport + bulk, logs available
- pkg install + delete
- runtime on stable/10 amd64 (in combination with devel/hg-git)


Thanks!

Comment 1 Marco Bröder 2015-04-04 16:17:20 UTC

Created attachment 155187 [details]
vuxml database patch

vuxml database patch

Comment 2 Kubilay Kocak freebsd_committer

2015-04-09 10:01:35 UTC

Thanks for your submission Marco.

Can you additionally please:

* Attach portlint -AC output
* Attach poudriere testport (or bulk -t) output
* Attach `make validate` output for VuXML changes (See: 11.3.3 in Porters Handbook [1])

Also, can you explain why all of the changes are needed for SOURCES.txt and setup.py?

[1] http://www2.au.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#security-notify

Comment 3 Marco Bröder 2015-04-09 15:28:06 UTC

Created attachment 155369 [details]
py27-dulwich-0.10a.log

The changes to SOURCES.txt, MANIFEST.in and setup.py are there to disable building and installing all the tests. They are pointless to the user and several tests are broken even in upstream's environments. It does not make sense to install / run them at the moment.

For the other things, see the attached log and posted output.

# portlint -AC
WARN: Makefile: for new port, make $FreeBSD$ tag in comment section empty, to make SVN happy.
0 fatal errors and 1 warning found.

This is bogus. It is not a new port! portlint -C is more reasonable.

# portlint -C
looks fine.

The poudriere testport log file is attached.

I know the Porter's Handbook section about VuXML. There are already new entries for other ports. So I guess the patch will not apply anymore.

Btw, this whole VuXML procedure is a pain in the ass. Do not get me wrong but I unless something changes there I do not care about it in the future.

The make validate output is not attached (~ 14 MiB output), because it does not validate and never has for me with or without my patch. I do not exactly know what is wrong with it. It fails to load the external schemes and cannot validate anything. But I guess my changes are fine.

Some example output:

====

http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd:41: warning: failed to load external entity "http://www.w3.org/TR/xhtml-modularization/DTD/xhtml-datatypes-1.mod"

[...]

http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd:82: warning: failed to load external entity "http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd"

[...]

vuln.xml:59: element vuxml: validity error : No declaration for attribute xmlns of element vuxml
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
                                                ^
vuln.xml:60: element vuln: validity error : No declaration for attribute vid of element vuln
  <vuln vid="5fee3f02-de37-11e4-b7c3-001999f8d30b">

[...]

====

and so on for all lines of vuln.xml.

Just wondering if it is a new requirement for a submission to post all the logs? A committer has to test it anyway and I never had to post logs / output before. ;-)

Thank you and regards!

Comment 4 commit-hook freebsd_committer

2015-04-17 22:11:31 UTC

A commit references this bug:

Author: jbeich
Date: Fri Apr 17 22:11:16 UTC 2015
New revision: 384191
URL: https://svnweb.freebsd.org/changeset/ports/384191

Log:
  Document new Dulwich vulnerability. CVE-2015-0838

  PR:		199162
  Submitted by:	Marco Br?der (maintainer)

Changes:
  head/security/vuxml/vuln.xml

Comment 5 Jan Beich freebsd_committer

2015-04-17 22:48:21 UTC

Committed. Thanks.

Comment 6 commit-hook freebsd_committer

2015-04-17 22:48:43 UTC

A commit references this bug:

Author: jbeich
Date: Fri Apr 17 22:47:43 UTC 2015
New revision: 384194
URL: https://svnweb.freebsd.org/changeset/ports/384194

Log:
  - Update to 0.10.1a

  PR:		199162
  Submitted by:	Marco Br?der (maintainer)
  MFH:		2015Q2
  Security:	https://vuxml.freebsd.org/freebsd/e426eda9-dae1-11e4-8107-94de806b0af9.html

Changes:
  head/devel/dulwich/Makefile
  head/devel/dulwich/distinfo
  head/devel/dulwich/files/patch-MANIFEST.in
  head/devel/dulwich/files/patch-dulwich.egg-info_SOURCES.txt
  head/devel/dulwich/files/patch-dulwich.egg-info__SOURCES.txt
  head/devel/dulwich/files/patch-setup.py

Comment 7 commit-hook freebsd_committer

2015-04-17 23:06:46 UTC

A commit references this bug:

Author: jbeich
Date: Fri Apr 17 23:06:04 UTC 2015
New revision: 384195
URL: https://svnweb.freebsd.org/changeset/ports/384195

Log:
  MFH: r384194

  - Update to 0.10.1a

  PR:		199162
  Submitted by:	Marco Br?der (maintainer)
  Security:	https://vuxml.freebsd.org/freebsd/e426eda9-dae1-11e4-8107-94de806b0af9.html
  Approved by:	portmgr (erwin)

Changes:
_U  branches/2015Q2/
  branches/2015Q2/devel/dulwich/Makefile
  branches/2015Q2/devel/dulwich/distinfo
  branches/2015Q2/devel/dulwich/files/patch-MANIFEST.in
  branches/2015Q2/devel/dulwich/files/patch-dulwich.egg-info_SOURCES.txt
  branches/2015Q2/devel/dulwich/files/patch-dulwich.egg-info__SOURCES.txt
  branches/2015Q2/devel/dulwich/files/patch-setup.py