Bug 249386
| Summary: | textproc/libxml2: Multiple vulnerabilities | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Daniel Engberg <diizzy> | ||||
| Component: | Individual Port(s) | Assignee: | freebsd-desktop (Team) <desktop> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | CC: | adridg, ish, mandree, nevecherya, sa.inbox, tcberner | ||||
| Priority: | --- | Flags: | tcberner:
maintainer-feedback+
|
||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| URL: | https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Axmlsoft&cpe_product=cpe%3A%2F%3Axmlsoft%3Alibxml2&pub_start_date=01%2F21%2F2020&pub_end_date=09%2F17%2F2020 | ||||||
| Attachments: |
|
||||||
Moin Moin Thanj you very much. Do you have time to prepare a vuxml entry too? Mfg Tobias Hi, I'm not sure what to put in "entry" #7 https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html Best regards, Daniel (In reply to daniel.engberg.lists from comment #2) I would just take some text from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977 and look at the related links there, for example https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 Some existing entries in the vuln.xml also just use <p>Mitre CVE reports:</p> there. So, I wouldn't spend too much time on that :) mfg Tobias I'll leave it someone who knows vuxml better, it barfs on the URL. A commit references this bug: Author: tcberner Date: Tue Sep 22 17:23:51 UTC 2020 New revision: 549611 URL: https://svnweb.freebsd.org/changeset/ports/549611 Log: security/vuxml: document libxml2 vulnerabilities PR: 249386 Changes: head/security/vuxml/vuln.xml The patch fixing the CVE-2019-20388, CVE-2020-7595, CVE-2020-24977 is still not committed. (In reply to p5B2E9A8F from comment #6) No one claimed it was :) A commit references this bug: Author: tcberner Date: Fri Sep 25 20:29:38 UTC 2020 New revision: 550081 URL: https://svnweb.freebsd.org/changeset/ports/550081 Log: textproc/libxml2: Multiple vulnerabilities Includes upstreams fixes for * CVE-2019-20388 * CVE-2020-7595 * CVE-2020-24977 PR: 249386 Submitted by: daniel.engberg.lists@pyret.net MFH: 2020Q3 Changes: head/textproc/libxml2/Makefile head/textproc/libxml2/distinfo A commit references this bug: Author: tcberner Date: Sat Sep 26 10:50:41 UTC 2020 New revision: 550160 URL: https://svnweb.freebsd.org/changeset/ports/550160 Log: MFH: r550081 textproc/libxml2: Multiple vulnerabilities Includes upstreams fixes for * CVE-2019-20388 * CVE-2020-7595 * CVE-2020-24977 PR: 249386 Submitted by: daniel.engberg.lists@pyret.net Approved by: ports-secteam (fluffy) Changes: _U branches/2020Q3/ branches/2020Q3/textproc/libxml2/Makefile branches/2020Q3/textproc/libxml2/distinfo I think we might want to reopen this waiting for a pending fix for https://gitlab.gnome.org/GNOME/libxml2/-/issues/187 There's a patch in GNOME GitLab, 0b3c64d9f2f3e9ce1a98d8f19ee7a763c87e27d5, for the issue mandree@ mentions. It doesn't apply at *all* though, since there's an intervening "make these functions non-recursive" that isn't in the release. So you'd be backporting some large-ish set of commits in order to introduce the problem that that patch then fixes. This seems more like a "wait for next release" thing than anything else. (Putting back to closed, FIXED since that's the status wrt the original report. I *do* wish that GNOME would put out a new release of the library since it's been about 18 months; however, it looks kind of stagnated with lots of open issues and stale MRs) |
Created attachment 218018 [details] Patch for libxml2 Fixes CVE-2019-20388, CVE-2020-7595, CVE-2020-24977 As there's no public announcement as far as I can tell I'm not sure how I should go about vuxml entry/entries. Compile tested on FreeBSD 13.0-CURRENT #0 r364979 (AMD64) Poudriere OK 12.1-RELEASE (AMD64)