Bug 254793

Summary: security/vuxml: Document XML round-trip vulnerability of REXML in Ruby
Product: Ports & Packages Reporter: Yasuhiro Kimura <yasu>
Component: Individual Port(s)Assignee: Koichiro Iwao <meta>
Status: Closed FIXED    
Severity: Affects Only Me CC: meta, ruby
Priority: --- Flags: bugzilla: maintainer-feedback? (ports-secteam)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch file
none
Updated patch file none

Description Yasuhiro Kimura freebsd_committer freebsd_triage 2021-04-05 14:48:40 UTC 
Created attachment 223832 [details]
Patch file

Document XML round-trip vulnerability of REXML in Ruby.
Comment 1 Koichiro Iwao freebsd_committer freebsd_triage 2021-04-06 13:29:47 UTC 
Failed to apply the patch. Can you resubmit it?
Comment 2 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-04-06 13:38:29 UTC 
Created attachment 223857 [details]
Updated patch file

Chase update of ports tree.
Comment 3 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-04-06 13:40:07 UTC 
(In reply to Koichiro Iwao from comment #1)

Please try updated patch.

Best Regards.
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-04-06 13:55:08 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=cbbdab46f9b73b3593fb453c4a2523936d569e15

commit cbbdab46f9b73b3593fb453c4a2523936d569e15
Author:     Koichiro Iwao <meta@FreeBSD.org>
AuthorDate: 2021-04-05 14:42:08 +0000
Commit:     Koichiro Iwao <meta@FreeBSD.org>
CommitDate: 2021-04-06 13:53:57 +0000

    security/vuxml: Document XML round-trip vulnerability of REXML in Ruby

    Document XML round-trip vulnerability of REXML in Ruby.

    PR:             254793
    Reported by:    Yasuhiro Kimura <yasu@utahime.org>
    Security:       CVE-2021-28965

 security/vuxml/vuln.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
Comment 5 Koichiro Iwao freebsd_committer freebsd_triage 2021-04-06 14:08:34 UTC 
Thanks for the quick follow-up.

Submitting patches generated by `git format-patch` is helpful. Because I can reuse most parts of the submitter's commit message. At least I'm very happy with receiving format-patch style patch.

I can apply the submitter's patch with the following commands.

$ curl -L '<patch URL>' > /tmp/patch
$ git am /tmp/patch
$ git commit --amend --reset-author
(add some commit messages)

The reason why I reset author is the repository blocks commits which has different committer and author.

remote:
remote: ================================================================
remote: meta, you are pushing a commit which author and committer are different:
remote:
remote: author: Yasuhiro Kimura <yasu@utahime.org>
remote: commit: e88e34f77ee344af29c0514ea45557a447d63b67
remote: subject: security/vuxml: Document XML round-trip vulnerability of REXML in Ruby
remote:
remote: Please check the author name and email are correct and then use:
remote:         git push --push-option=confirm-author
remote: ================================================================
To gitrepo.freebsd.org:ports.git
 ! [remote rejected]           main -> main (pre-receive hook declined)
error: failed to push some refs to 'gitrepo.freebsd.org:ports.git'
Comment 6 Koichiro Iwao freebsd_committer freebsd_triage 2021-04-06 14:09:06 UTC 
Committed, thanks!