Bug 282536

Summary: devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976
Product: Ports & Packages Reporter: Älven <alster>
Component: Individual Port(s)Assignee: Vladimir Druzenko <vvd>
Status: Closed FIXED    
Severity: Affects Some People CC: diizzy, ports-secteam, vvd
Priority: --- Keywords: security
Version: LatestFlags: vvd: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://github.com/ClusterLabs/libqb/releases
Attachments:
Description Flags
[PATCH] devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976
none
[PATCH] devel/libqb: Add EXAMPLES option, fix typo
alster: maintainer-approval+
[PATCH] devel/libqb: Add EXAMPLES option, fix typo
alster: maintainer-approval+
[PATCH] devel/libqb: Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man
alster: maintainer-approval+
[PATCH] devel/libqb: Add support for activation of tests (still failing) alster: maintainer-approval+

Description Älven 2024-11-04 12:48:17 UTC
Created attachment 254927 [details]
[PATCH] devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976

https://nvd.nist.gov/vuln/detail/CVE-2023-39976
Comment 1 Vladimir Druzenko freebsd_committer freebsd_triage 2024-11-04 12:56:54 UTC
Port without maintainer - do you want to become the maintainer?
Comment 2 Älven 2024-11-04 14:29:44 UTC
I'll try to do it, and will be ready to transfer it to anyone who may do it better than me, would one ask me about it :)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-11-04 19:04:16 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1bdede316d9cf2b726ee433f32a64a6708a67b48

commit 1bdede316d9cf2b726ee433f32a64a6708a67b48
Author:     Älven <alster@vinterdalen.se>
AuthorDate: 2024-11-04 19:01:32 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-11-04 19:01:32 +0000

    security/vuxml: Add record for devel/libqb < 2.0.8 CVE-2023-39976

    log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long
    log messages because the header size is not considered.
    https://nvd.nist.gov/vuln/detail/CVE-2023-39976

    PR:     282536

 security/vuxml/vuln/2024.xml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
Comment 4 commit-hook freebsd_committer freebsd_triage 2024-11-04 21:00:36 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c08f528cd36c76d76f221e7af8d5918054978bdf

commit c08f528cd36c76d76f221e7af8d5918054978bdf
Author:     Älven <alster@vinterdalen.se>
AuthorDate: 2024-11-04 20:34:07 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-11-04 20:54:58 +0000

    devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976, take maintainership

    log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long
    log messages because the header size is not considered.
    https://nvd.nist.gov/vuln/detail/CVE-2023-39976

    Changelogs:
    https://github.com/ClusterLabs/libqb/releases/tag/v2.0.7
    https://github.com/ClusterLabs/libqb/releases/tag/v2.0.8

    Improve port: remove GNU_CONFIGURE_MANPREFIX, update pkg-descr, fix
    warnings from portclippy.

    PR:     282536
    MFH:    2024Q4

 devel/libqb/Makefile                     | 24 ++++++++++++------------
 devel/libqb/distinfo                     |  6 +++---
 devel/libqb/files/patch-configure (gone) | 11 -----------
 devel/libqb/pkg-descr                    | 10 +++++++---
 devel/libqb/pkg-plist                    |  2 +-
 5 files changed, 23 insertions(+), 30 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2024-11-04 21:21:39 UTC
A commit in branch 2024Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3b5e2b275eb786a87844f5a4ce8487f47fb45737

commit 3b5e2b275eb786a87844f5a4ce8487f47fb45737
Author:     Älven <alster@vinterdalen.se>
AuthorDate: 2024-11-04 20:34:07 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-11-04 21:20:13 +0000

    devel/libqb: update 2.0.6 → 2.0.8, fix CVE-2023-39976, take maintainership

    log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long
    log messages because the header size is not considered.
    https://nvd.nist.gov/vuln/detail/CVE-2023-39976

    Changelogs:
    https://github.com/ClusterLabs/libqb/releases/tag/v2.0.7
    https://github.com/ClusterLabs/libqb/releases/tag/v2.0.8

    Improve port: remove GNU_CONFIGURE_MANPREFIX, update pkg-descr, fix
    warnings from portclippy.

    PR:     282536
    MFH:    2024Q4
    (cherry picked from commit c08f528cd36c76d76f221e7af8d5918054978bdf)

 devel/libqb/Makefile                     | 24 ++++++++++++------------
 devel/libqb/distinfo                     |  6 +++---
 devel/libqb/files/patch-configure (gone) | 11 -----------
 devel/libqb/pkg-descr                    | 10 +++++++---
 devel/libqb/pkg-plist                    |  2 +-
 5 files changed, 23 insertions(+), 30 deletions(-)
Comment 6 Vladimir Druzenko freebsd_committer freebsd_triage 2024-11-04 21:26:03 UTC
Thanks.
Comment 7 Daniel Engberg freebsd_committer freebsd_triage 2024-11-04 22:47:38 UTC
Maybe I'm missing something here but grep shows no libxml2 code?
Comment 8 Älven 2024-11-04 23:16:48 UTC
So I may safely remove it, yes? I'll try to test…
Comment 9 Vladimir Druzenko freebsd_committer freebsd_triage 2024-11-04 23:37:22 UTC
configure print:
checking for libxml... yes
Comment 10 Älven 2024-11-04 23:38:10 UTC
Configure seems to require it somehow:

checking for libxml... no
configure: error: Package requirements (libxml-2.0) were not met:

Package 'libxml-2.0' not found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables libxml_CFLAGS
and libxml_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
===>  Script "configure" failed unexpectedly.
Comment 11 Daniel Engberg freebsd_committer freebsd_triage 2024-11-04 23:42:46 UTC
Having a quick look it seems like it's only referenced in doxygen2man/doxygen2man.c which as far as I can tell is never installed?
Comment 12 Älven 2024-11-05 00:08:11 UTC
I tried it. For some reason it's is being built anyway, even with DOXYGEN=OFF.
What may be good solution for this?
At least I may replace USE=gnome + USE_GNOME=libxml2 with just BUILD_DEPENDS=libxml2>0:textproc/libxml2, if it will be better…
Comment 13 Älven 2024-11-05 00:23:47 UTC
Created attachment 254958 [details]
[PATCH] devel/libqb: Add EXAMPLES option, fix typo

Add EXAMPLES option, fix typo.
Comment 14 Daniel Engberg freebsd_committer freebsd_triage 2024-11-05 00:25:28 UTC
Hugly hack the seems to work (just having a quick look), comment out
https://github.com/ClusterLabs/libqb/blob/main/configure.ac#L171 and add USES= autoreconf
Comment 15 Älven 2024-11-05 00:27:38 UTC
Created attachment 254959 [details]
[PATCH] devel/libqb: Add EXAMPLES option, fix typo

Add EXAMPLES option, fix typo.
Comment 16 Älven 2024-11-05 00:55:41 UTC
(In reply to Daniel Engberg from comment #14)
Thank you! It really helped :)
Comment 17 Älven 2024-11-05 00:57:01 UTC
Created attachment 254960 [details]
[PATCH] devel/libqb: Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man

Fix conditional BUILD_DEPENDS on libxml2 for doxygen2man.
Comment 18 Älven 2024-11-05 01:16:32 UTC
Created attachment 254961 [details]
[PATCH] devel/libqb: Add support for activation of tests (still failing)

Add support for activation of tests (still failing)