Bug 188638 - [PATCH] devel/maven3 security fix
Summary: [PATCH] devel/maven3 security fix
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: John Marino
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-15 03:40 UTC by wombat
Modified: 2014-06-11 08:11 UTC (History)
1 user (show)

See Also:


Attachments
file.diff (3.63 KB, patch)
2014-04-15 03:40 UTC, wombat
no flags Details | Diff
Maven 3 patch (3.56 KB, patch)
2014-06-11 02:33 UTC, wombat
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description wombat 2014-04-15 03:40:00 UTC
Fixes security issue CVE-2013-0253

CVE-2013-0253
The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.

Also added pkg-plist to port

Fix: Patch attached with submission follows:
Comment 1 John Marino freebsd_committer 2014-06-10 13:03:30 UTC
cool, you picked up maintenance too!
Comment 2 John Marino freebsd_committer 2014-06-10 17:11:41 UTC
hi wombat,

There are leftovers:
=== Checking filesystem state
list of files present before this port was installed but missing after it was deinstalled)
./usr/local/etc/maven-wrapper missing
./usr/local/etc/maven-wrapper/instances.d missing
Deleting openjdk6-b31_3,1


https://redports.org/buildarchive/20140610170347-77403/


Can you figure out what's wrong and tell me how to fix it? 

A "delta" patch or hand-edit instruction is fine; I'll just run it through redports again.
Comment 3 wombat 2014-06-10 17:29:48 UTC
Hello John,

Sure I'll look into that this evening. I think I can guess why the 2 first lines appear, but not sure about

Deleting openjdk6-b31_3,1

Isn't that expected if the dependent jdk is at a newer version too? Sorry, I'm new to this port business. :-)
Comment 4 John Marino freebsd_committer 2014-06-10 17:34:04 UTC
the deleting openjdk line is out of context, I should not have included it.

As part of the file system sanity checks, it:

1) Checks before and after the package was installed and deinstalled
2) checks before and after all the dependencies are installed and deinstalled

For 2) that's the basic clean filesystem.  At the end of 2) when everything is deinstalled, the resulting filesystem should be the same as when it started.

This failed the first check and the deleting openjdk6 line was part of the second step.  Just look at the entire log and it will make sense.
Comment 5 wombat 2014-06-11 02:33:39 UTC
Created attachment 143661 [details]
Maven 3 patch

Removed the unnecessary maven-wrapper removal
Comment 6 wombat 2014-06-11 02:35:08 UTC
OK, it was what I thought it was, phew! Sorry about that and thanks for spotting it. I've added a new complete diff file.
Comment 7 commit-hook freebsd_committer 2014-06-11 08:10:20 UTC
A commit references this bug:

Author: marino
Date: Wed Jun 11 08:09:33 UTC 2014
New revision: 357428
URL: http://svnweb.freebsd.org/changeset/ports/357428

Log:
  devel/maven3: Upgrade version 3.0.4 => 3.0.5 (Fixes security issue)

  * This fixes CVE-2013-0253
  * Assign maintenance to submitter
  * Use pkg-plist instead of file list
  * This passes 8x redports

  PR:		188638
  Submitted by:	wombat

Changes:
  head/devel/maven3/Makefile
  head/devel/maven3/distinfo
  head/devel/maven3/pkg-plist
Comment 8 John Marino freebsd_committer 2014-06-11 08:11:57 UTC
Thanks!