Bug 270906

Summary: textproc/libxml2: SecurityUpdate to 2.10.4
Product: Ports & Packages Reporter: takefu
Component: Individual Port(s)Assignee: Dima Panov <fluffy>
Status: Closed FIXED    
Severity: Affects Only Me CC: arnaud, asomers, fabian, fluffy, frank, george, ish, kirill, michael.osipov, ml, nevecherya, vidar
Priority: --- Flags: bugzilla: maintainer-feedback? (desktop)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
libxml2-2.10.4.patch
none
Reformatted patch none

Description takefu 2023-04-18 02:43:50 UTC
Created attachment 241552 [details]
libxml2-2.10.4.patch

fix:
  PORTCLIPPY(1) Compliant
  LIBXML2_SLAVE STRIP shared object files


v2.10.4: Apr 11 2023

### Security

- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

### Regressions

- SAX2: Ignore namespaces in HTML documents
- io: Fix "buffer full" error with certain buffer sizes
Comment 1 takefu 2023-04-18 02:55:35 UTC
bug #262613 should be closed.
Comment 2 George Mitchell 2023-04-24 22:28:06 UTC
Created attachment 241722 [details]
Reformatted patch

(In reply to takefu from comment #0)
I have taken your patch and reformatted it more conventionally, so one can cd to /usr/ports and patch -p1 <reformatted-patch and have it apply cleanly.  It's still the same patch.
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-04-27 18:27:12 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=acd6567eeccaba062051ae4571c3d20c355383ac

commit acd6567eeccaba062051ae4571c3d20c355383ac
Author:     Dima Panov <fluffy@FreeBSD.org>
AuthorDate: 2023-04-27 18:07:36 +0000
Commit:     Dima Panov <fluffy@FreeBSD.org>
CommitDate: 2023-04-27 18:25:56 +0000

    textproc/libxml2: update to 2.10.14 security release (+)

    - [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
    - [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
    - schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

    - SAX2: Ignore namespaces in HTML documents
    - io: Fix "buffer full" error with certain buffer sizes

    PR:             270906
    Security:       0bd7f07b-dc22-11ed-bf28-589cfc0f81b0

    Sponsored by:   Serenity Cybersecurity, LLC

 textproc/libxml2/Makefile | 22 ++++++++++------------
 textproc/libxml2/distinfo |  6 +++---
 2 files changed, 13 insertions(+), 15 deletions(-)
Comment 4 Dima Panov freebsd_committer freebsd_triage 2023-04-27 19:37:25 UTC
Updated, thanks
Comment 5 Michael Osipov 2023-04-27 20:38:23 UTC
Any chance for 2023Q2?
Comment 6 commit-hook freebsd_committer freebsd_triage 2023-04-27 22:58:59 UTC
A commit in branch 2023Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=11a2be5f1911d9e357a87eb302d84d3adf16a783

commit 11a2be5f1911d9e357a87eb302d84d3adf16a783
Author:     Dima Panov <fluffy@FreeBSD.org>
AuthorDate: 2023-04-27 18:07:36 +0000
Commit:     Dima Panov <fluffy@FreeBSD.org>
CommitDate: 2023-04-27 22:58:04 +0000

    textproc/libxml2: update to 2.10.14 security release (+)

    - [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
    - [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
    - schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

    - SAX2: Ignore namespaces in HTML documents
    - io: Fix "buffer full" error with certain buffer sizes

    PR:             270906
    Security:       0bd7f07b-dc22-11ed-bf28-589cfc0f81b0

    Sponsored by:   Serenity Cybersecurity, LLC

    (cherry picked from commit acd6567eeccaba062051ae4571c3d20c355383ac)

 textproc/libxml2/Makefile | 23 +++++++++++------------
 textproc/libxml2/distinfo |  6 +++---
 2 files changed, 14 insertions(+), 15 deletions(-)