Bug 256436

Summary: textproc/libxml2: Update to 2.9.12 (fixes several vulnerabilities)
Product: Ports & Packages Reporter: Daniel Engberg <diizzy>
Component: Individual Port(s)Assignee: Gleb Popov <arrowd>
Status: Closed FIXED    
Severity: Affects Many People CC: arrowd, diizzy, ports-secteam
Priority: Normal Keywords: needs-qa, security
Version: LatestFlags: bugzilla: maintainer-feedback? (desktop)
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
URL: http://www.xmlsoft.org/news.html
Bug Depends on: 256617, 256734    
Bug Blocks:    
Attachments:
Description Flags
Patch for libxml2
none
Patch for libxml2 v2
none
Patch for libxml2 v3 none

Description Daniel Engberg freebsd_committer freebsd_triage 2021-06-06 09:42:46 UTC 
Created attachment 225587 [details]
Patch for libxml2

Update libxml2 to 2.9.12
Backport following commits:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/85b1792e37b131e7a51af98a37f92472e8de5f3f
https://gitlab.gnome.org/GNOME/libxml2/-/commit/13ad8736d294536da4cbcd70a96b0a2fbf47070c
https://gitlab.gnome.org/GNOME/libxml2/-/commit/3e1aad4fe584747fd7d17cc7b2863a78e2d21a77

Compile and runtime tested on 13.0-STABLE #0 stable/13-n245227-5ec4eb443e8 (amd64) (make, make check-plist, make test)
Poudriere testport OK 12.2-RELEASE (amd64)
Poudriere testport OK 11.4-RELEASE (amd64)

textproc/py-libxml2:
Poudriere testport OK 12.2-RELEASE (amd64)
Poudriere testport OK 11.4-RELEASE (amd64)
Comment 1 Daniel Engberg freebsd_committer freebsd_triage 2021-06-06 09:43:36 UTC 
When compiling tests -pthread needs to passed, not sure how to handle that in a nice way (see patch).
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-06 12:27:18 UTC 
^Triage: Security and bugfix releases, MFH.

@Daniel Is there a canonical source for the 2.9.10-12 release notes? I see only a single CVE reference for .11 (CVE-2021-3541) but see other CVE's being referenced elsewhere online that affect .10 too.

CVE-2019-20388
CVE-2020-24977
CVE-2021-3517
CVE-2021-3518
CVE-2021-3537
CVE-2021-3516
CVE-2020-7595
Comment 3 Daniel Engberg freebsd_committer freebsd_triage 2021-06-06 13:08:43 UTC 
@Koobs

https://gitlab.gnome.org/GNOME/libxml2/-/commit/b48e77cf4f6fa0792c5f4b639707a2b0675e461b

That's the only commit between .11 and .12

There's no (to my knowledge) other source by upstream except for the commit log.
Comment 4 Daniel Engberg freebsd_committer freebsd_triage 2021-06-09 20:03:23 UTC 
Created attachment 225669 [details]
Patch for libxml2 v2

Fix tests
Comment 5 Daniel Engberg freebsd_committer freebsd_triage 2021-06-12 21:07:05 UTC 
Created attachment 225761 [details]
Patch for libxml2 v3

Backport https://gitlab.gnome.org/GNOME/libxml2/-/commit/92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f
Comment 6 commit-hook freebsd_committer freebsd_triage 2021-06-21 21:37:49 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4c0c936fe9f8e602e56b1b0862e2cfa538cea219

commit 4c0c936fe9f8e602e56b1b0862e2cfa538cea219
Author:     Daniel Engberg <daniel.engberg.lists@pyret.net>
AuthorDate: 2021-06-16 15:33:04 +0000
Commit:     Gleb Popov <arrowd@FreeBSD.org>
CommitDate: 2021-06-21 21:19:10 +0000

    textproc/libxml2: Update to 2.9.12

    PR:             256436
    Reviewed by:    arrowd
    Tested by:      arrowd

 textproc/libxml2/Makefile                          |  39 ++--
 textproc/libxml2/distinfo                          |  14 +-
 textproc/libxml2/files/patch-CVE-2019-20388 (gone) |  33 ----
 textproc/libxml2/files/patch-CVE-2020-24977 (gone) |  36 ----
 textproc/libxml2/files/patch-CVE-2020-7595 (gone)  |  32 ----
 textproc/libxml2/files/patch-CVE-2021-3541 (gone)  |  67 -------
 textproc/libxml2/files/patch-Makefile.in           |  26 ++-
 .../libxml2/files/patch-Python-39-support (gone)   |  92 ---------
 ...-85b1792e37b131e7a51af98a37f92472e8de5f3f (new) | 211 +++++++++++++++++++++
 ...-13ad8736d294536da4cbcd70a96b0a2fbf47070c (new) |  46 +++++
 ...-3e1aad4fe584747fd7d17cc7b2863a78e2d21a77 (new) |  31 +++
 ...-92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f (new) |  43 +++++
 ...106757e8c1e26ad9b8c924c7f304074b79e082c5 (gone) |  39 ----
 13 files changed, 378 insertions(+), 331 deletions(-)
Comment 7 Gleb Popov freebsd_committer freebsd_triage 2021-06-21 22:24:01 UTC 
Pushed in, thanks.
Comment 8 Daniel Engberg freebsd_committer freebsd_triage 2021-06-23 08:02:25 UTC 
Not sure on how to write a vuxml entry as upstream doesn't directly refer to multiple CVEs.