Bug 233896

Summary:

archivers/libmspack: Update to 0.9.1 (Fixes several security vulnerabilities)

Product:

Ports & Packages

Reporter:

Henry <PopularMoment>

Component:

Individual Port(s)

Assignee:

Ports Security Team <ports-secteam>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

joneum, koobs, ports-secteam, swills

Priority:

Normal

Keywords:

needs-patch, security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (fjoe)
koobs: maintainer-feedback? (ports-secteam)

Hardware:

Any

OS:

Any

URL:

https://www.cabextract.org.uk/libmspack/#vulns

Attachments:

Description	Flags
0.9.1 patch	none

Description Henry 2018-12-09 19:44:06 UTC

Created attachment 199990 [details]
0.9.1 patch

CVEs fixed are the top 9 from https://www.cabextract.org.uk/libmspack/#vulns

Comment 1 Kubilay Kocak freebsd_committer

2018-12-10 04:42:44 UTC

Pending (requires) VuXML entry

Comment 2 Max Khon freebsd_committer

2018-12-11 08:44:14 UTC

Committed, thanks!

Comment 3 commit-hook freebsd_committer

2018-12-11 08:45:02 UTC

A commit references this bug:

Author: fjoe
Date: Tue Dec 11 08:44:00 UTC 2018
New revision: 487227
URL: https://svnweb.freebsd.org/changeset/ports/487227

Log:
  Update to 0.9.1alpha

  PR:		233896
  Submitted by:	Henry David Bartholomew

Changes:
  head/archivers/libmspack/Makefile
  head/archivers/libmspack/distinfo

Comment 4 Kubilay Kocak freebsd_committer

2018-12-14 03:42:09 UTC

Re-open for VuXML entry and MFH

Comment 5 Jochen Neumeister freebsd_committer

2019-02-15 18:36:17 UTC

what is the current status?
Does ports-secteam have to be active here?

Comment 6 Kubilay Kocak freebsd_committer

2019-04-24 05:44:50 UTC

VuXML entries were not added for this  (0.9.1) or previous releases

The last libsmpack VuXML entry was <vuln vid="cc7548ef-06e1-11e5-8fda-002590263bf5"> added <entry>2015-05-31</entry> for version < 0.5

This leaves 10 CVE's (security vulnerabilities) not reported to users (per https://www.cabextract.org.uk/libmspack/#vulns)

Comment 7 Jochen Neumeister freebsd_committer

2019-05-17 12:29:18 UTC

ping @fjoe

Comment 8 Kubilay Kocak freebsd_committer

2019-08-23 02:49:12 UTC

Over to ports-secteam, no maintainer response since 2018-12-14

VuXML entries for latest and previous version vulnerabilities (At least 10) remains to be added

Comment 9 Jochen Neumeister freebsd_committer

2020-07-23 15:30:11 UTC

After such a long time, I see no point in creating a vuxml entry. I'm closing here.

Comment 10 Kubilay Kocak freebsd_committer

2020-07-24 02:16:06 UTC

@Jochen I don't understand how the time it has been is related or relevant to documenting known security vulnerabilities in VuXML?

If this is a matter of limited available cycles at ports-secteam to document vulnerabilities (in this case > 10 of them), we can put a call out for others to contribute the change

Comment 11 Jochen Neumeister freebsd_committer

2020-07-24 04:14:10 UTC

@Kubilay, I made this decision as ports-secteam. If you want to add the entry, please reopen this PR. Otherwise I consider it done.