Bug 203761

Summary:

[MAINTAINER] net-p2p/bitcoin: Chase net/miniupnpc update, Resolve security vulnerability

Product:

Ports & Packages

Reporter:

robbak

Component:

Individual Port(s)

Assignee:

Jan Beich <jbeich>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

ports-secteam, robbak

Priority:

---

Keywords:

easy, patch, patch-ready, regression

Version:

Latest

Flags:

robbak: maintainer-feedback+
koobs: merge-quarterly?

Hardware:

Any

OS:

Any

URL:

http://talosintel.com/reports/TALOS-2015-0035

Bug Depends on:

Bug Blocks:

203705

Attachments:

Description	Flags
Makefile patch to bump portrevision, chasing miniupnpc upgrade	none
Patch to bump portrevision, chasing miniupnpc upgrade	robbak: maintainer-approval+
Portlint output.	none
Poudriere log of build.	none
Patch to bump portrevision, chasing miniupnpc upgrade; pet portlint	none

Description robbak 2015-10-14 07:23:17 UTC

Created attachment 162015 [details]
Makefile patch to bump portrevision, chasing miniupnpc upgrade

This patch to Makefile chases the net/miniupnpc upgrade, which will resolve the buffer overflow bug referenced in http://talosintel.com/reports/TALOS-2015-0035 for the bitcoin ports.

Comment 1 robbak 2015-10-14 07:35:54 UTC

Hold off on this - I've just found a build error from miniupnpc

Comment 2 robbak 2015-10-14 08:59:27 UTC

Created attachment 162019 [details]
Patch to bump portrevision, chasing miniupnpc upgrade

Corrected patch to chase miniupnpc upgrade. A function definition had changed, so we needed to pick a patch for src/net.cpp to allow for this.

Comment 3 Kubilay Kocak freebsd_committer

2015-10-14 10:21:04 UTC

robbak, could you provide QA (portlint, poudriere) results as attachments please

Comment 4 robbak 2015-10-14 11:28:26 UTC

Created attachment 162028 [details]
Portlint output.

Comment 5 robbak 2015-10-14 11:43:09 UTC

Created attachment 162029 [details]
Poudriere log of build.

Comment 6 robbak 2015-10-14 11:45:24 UTC

Created attachment 162030 [details]
Patch to bump portrevision, chasing miniupnpc upgrade; pet portlint

Slight adjustment, as reccomended by portlint

Comment 7 commit-hook freebsd_committer

2015-10-14 14:58:01 UTC

A commit references this bug:

Author: jbeich
Date: Wed Oct 14 14:57:34 UTC 2015
New revision: 399270
URL: https://svnweb.freebsd.org/changeset/ports/399270

Log:
  net-p2p/bitcoin: chase r399209

  https://github.com/miniupnp/miniupnp/commit/1da63faa4fff5cb30e5d4b848ceef80a292382b9

  PR:		203761
  Submitted by:	robbak@gmail.com (based on)
  Obtained from:	upstream
  MFH:		2015Q4
  X-MFH-With:	r399209

Changes:
  head/net-p2p/bitcoin/Makefile
  head/net-p2p/bitcoin/files/patch-src_net.cpp
  head/net-p2p/bitcoin-utils/Makefile

Comment 8 Jan Beich freebsd_committer

2015-10-14 15:00:19 UTC

Bug 203705 is 'security' fix while 'regression' here is about build breakage and runtime crash due to API/ABI changes. There's nothing to fix until that bug is MFH'd first.

net-p2p/bitcoin-utils lacks UPNP option, so no need to bump PORTREVISION there.