Bug 249386

Summary: textproc/libxml2: Multiple vulnerabilities
Product: Ports & Packages Reporter: daniel.engberg.lists
Component: Individual Port(s)Assignee: freebsd-desktop (Team) <desktop>
Status: Closed FIXED    
Severity: Affects Only Me CC: adridg, ish, mandree, nevecherya, sa.inbox, tcberner
Priority: --- Flags: tcberner: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Axmlsoft&cpe_product=cpe%3A%2F%3Axmlsoft%3Alibxml2&pub_start_date=01%2F21%2F2020&pub_end_date=09%2F17%2F2020
Attachments:
Description Flags
Patch for libxml2 none

Description daniel.engberg.lists 2020-09-17 07:00:03 UTC
Created attachment 218018 [details]
Patch for libxml2

Fixes CVE-2019-20388, CVE-2020-7595, CVE-2020-24977

As there's no public announcement as far as I can tell I'm not sure how I should go about vuxml entry/entries.

Compile tested on FreeBSD 13.0-CURRENT #0 r364979 (AMD64)
Poudriere OK 12.1-RELEASE (AMD64)
Comment 1 Tobias C. Berner freebsd_committer 2020-09-17 16:38:18 UTC
Moin Moin

Thanj you very much.
 

Do you have time to prepare a vuxml entry too?


Mfg Tobias
Comment 2 daniel.engberg.lists 2020-09-17 21:16:46 UTC
Hi,

I'm not sure what to put in "entry" #7
https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html

Best regards,
Daniel
Comment 3 Tobias C. Berner freebsd_committer 2020-09-18 03:29:57 UTC
(In reply to daniel.engberg.lists from comment #2)

I would just take some text from
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977 
and look at the related links there, for example https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 

Some existing entries in the vuln.xml also just use 
<p>Mitre CVE reports:</p> 
there.

So, I wouldn't spend too much time on that :)



mfg Tobias
Comment 4 daniel.engberg.lists 2020-09-19 12:01:28 UTC
I'll leave it someone who knows vuxml better, it barfs on the URL.
Comment 5 commit-hook freebsd_committer 2020-09-22 17:24:48 UTC
A commit references this bug:

Author: tcberner
Date: Tue Sep 22 17:23:51 UTC 2020
New revision: 549611
URL: https://svnweb.freebsd.org/changeset/ports/549611

Log:
  security/vuxml: document libxml2 vulnerabilities

  PR:		249386

Changes:
  head/security/vuxml/vuln.xml
Comment 6 p5B2E9A8F 2020-09-25 11:33:36 UTC
The patch fixing the CVE-2019-20388, CVE-2020-7595, CVE-2020-24977
is still not committed.
Comment 7 Tobias C. Berner freebsd_committer 2020-09-25 20:26:44 UTC
(In reply to p5B2E9A8F from comment #6)
No one claimed it was :)
Comment 8 commit-hook freebsd_committer 2020-09-25 20:30:26 UTC
A commit references this bug:

Author: tcberner
Date: Fri Sep 25 20:29:38 UTC 2020
New revision: 550081
URL: https://svnweb.freebsd.org/changeset/ports/550081

Log:
  textproc/libxml2: Multiple vulnerabilities

  Includes upstreams fixes for

  	* CVE-2019-20388
  	* CVE-2020-7595
  	* CVE-2020-24977

  PR:		249386
  Submitted by:	daniel.engberg.lists@pyret.net
  MFH:		2020Q3

Changes:
  head/textproc/libxml2/Makefile
  head/textproc/libxml2/distinfo
Comment 9 commit-hook freebsd_committer 2020-09-26 10:50:47 UTC
A commit references this bug:

Author: tcberner
Date: Sat Sep 26 10:50:41 UTC 2020
New revision: 550160
URL: https://svnweb.freebsd.org/changeset/ports/550160

Log:
  MFH: r550081

  textproc/libxml2: Multiple vulnerabilities

  Includes upstreams fixes for

  	* CVE-2019-20388
  	* CVE-2020-7595
  	* CVE-2020-24977

  PR:		249386
  Submitted by:	daniel.engberg.lists@pyret.net

  Approved by:	ports-secteam (fluffy)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/textproc/libxml2/Makefile
  branches/2020Q3/textproc/libxml2/distinfo
Comment 10 Matthias Andree freebsd_committer 2020-09-27 18:20:54 UTC
I think we might want to reopen this waiting for a pending fix for 
https://gitlab.gnome.org/GNOME/libxml2/-/issues/187
Comment 11 Adriaan de Groot freebsd_committer 2021-05-03 21:55:47 UTC
There's a patch in GNOME GitLab, 0b3c64d9f2f3e9ce1a98d8f19ee7a763c87e27d5, for the issue mandree@ mentions. It doesn't apply at *all* though, since there's an intervening "make these functions non-recursive" that isn't in the release. So you'd be backporting some large-ish set of commits in order to introduce the problem that that patch then fixes. This seems more like a "wait for next release" thing than anything else.

(Putting back to closed, FIXED since that's the status wrt the original report. I *do* wish that GNOME would put out a new release of the library since it's been about 18 months; however, it looks kind of stagnated with lots of open issues and stale MRs)