Bug 241420

Summary:

textproc/libxslt: Fix CVE-2019-18197

Product:

Ports & Packages

Reporter:

Nathan <ndowens04>

Component:

Individual Port(s)

Assignee:

freebsd-gnome (Nobody) <gnome>

Status:

Closed Overcome By Events

Severity:

Affects Many People

CC:

gnome, ndowens04, ports-secteam, w.schwarzenfeld

Priority:

Normal

Keywords:

security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (gnome)
koobs: merge-quarterly?

Hardware:

Any

OS:

Any

URL:

w.schwarzenfeld@utanet.at

See Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239131

Bug Depends on:

Bug Blocks:

239131

Attachments:

Description	Flags
Fix CVE, close #239131	none
Fix CVE, close #239131	none
VuXML patch	ndowens04: maintainer-approval? (gnome)
CVE-2019-18197 patch	ndowens04: maintainer-approval? (gnome)

Description Nathan 2019-10-22 20:13:28 UTC

Created attachment 208512 [details]
Fix CVE, close #239131

I have created a patch for CVE-2019-18197, listed here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197 ; I have cherry-picked the commit from the URL listed. I also included a patch for suggestion in bug #239131, to close that bug as well.

Comment 1 Nathan 2019-10-22 22:05:41 UTC

Created attachment 208515 [details]
Fix CVE, close #239131

Remove patch prefixes

Comment 2 Kubilay Kocak freebsd_committer

2019-10-23 02:04:42 UTC

Pending VuXML entry

Comment 3 Nathan 2019-10-23 20:17:33 UTC

Created attachment 208538 [details]
VuXML patch

Added entry for VuXML file

Comment 4 Ting-Wei Lan 2019-10-24 14:10:12 UTC

Comment on attachment 208515 [details]
Fix CVE, close #239131

>--- textproc/libxslt/Makefile
>+++ textproc/libxslt/Makefile
>@@ -3,9 +3,9 @@
> 
> PORTNAME=	libxslt
> PORTVERSION=	1.1.33
>+PORTREVISION=	1
> CATEGORIES?=	textproc gnome
>-MASTER_SITES=	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/

Do we really want to use an unofficial site as the only MASTER_SITES?

Comment 5 Nathan 2019-10-24 20:27:44 UTC

(In reply to Ting-Wei Lan from comment #4)
osuosl is a mirror for many FOSS projects, and the other one did not have the new version either, 404

Comment 6 Nathan 2019-10-24 20:37:58 UTC

Created attachment 208586 [details]
CVE-2019-18197 patch

Comment 7 Ting-Wei Lan 2019-10-27 06:58:38 UTC

Comment on attachment 208586 [details]
CVE-2019-18197 patch

>--- a/textproc/libxslt/Makefile
>+++ b/textproc/libxslt/Makefile
>@@ -3,9 +3,10 @@
> 
> PORTNAME=	libxslt
> PORTVERSION=	1.1.33
>+PORTREVISION=	1
> CATEGORIES?=	textproc gnome
>-MASTER_SITES=	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ \
>+		   ftp://xmlsoft.org/libxslt/

I still don't understand why we want to prefer an unofficial site to the official site. I don't think HTTPS can give any extra security when it is not an official site. Also, FreeBSD ports disable certificate verification by default. I guess the only benefit is that it is less likely to be blocked by firewalls.

Comment 8 Walter Schwarzenfeld freebsd_triage

2020-01-26 18:12:07 UTC

We have version 1.1.34. The changes in transform.c are in the code. Close - overcome by events.