Bug 199162 - [MAINTAINER] devel/dulwich: Update to 0.10.1a (Security Update)
Summary: [MAINTAINER] devel/dulwich: Update to 0.10.1a (Security Update)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jan Beich
URL:
Keywords: easy, needs-qa, patch, security
Depends on:
Blocks:
 
Reported: 2015-04-04 16:16 UTC by Marco Bröder
Modified: 2015-04-17 23:06 UTC (History)
2 users (show)

See Also:
marco.broeder: maintainer-feedback+
koobs: merge-quarterly+


Attachments
Security update dulwich-0.10.1a.patch (17.06 KB, patch)
2015-04-04 16:16 UTC, Marco Bröder
marco.broeder: maintainer-approval+
Details | Diff
vuxml database patch (1.21 KB, patch)
2015-04-04 16:17 UTC, Marco Bröder
no flags Details | Diff
py27-dulwich-0.10a.log (32.97 KB, text/plain)
2015-04-09 15:28 UTC, Marco Bröder
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marco Bröder 2015-04-04 16:16:10 UTC
Created attachment 155186 [details]
Security update dulwich-0.10.1a.patch

- Security update to 0.10.1a release
(Request MFH to quarterly branch, freebsd-portmgr@FreeBSD.org CC'ed)

Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9706

- Update patches

Note: Hg-Git extension works with Mercurial up to 3.3.2, but does not on version
3.3.3. A fix is being developed upstream and coming soon.


Tests on head, stable/10, releng/9.3 - amd64:
- portlint
- poudriere testport + bulk, logs available
- pkg install + delete
- runtime on stable/10 amd64 (in combination with devel/hg-git)


Thanks!
Comment 1 Marco Bröder 2015-04-04 16:17:20 UTC
Created attachment 155187 [details]
vuxml database patch

vuxml database patch
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2015-04-09 10:01:35 UTC
Thanks for your submission Marco.

Can you additionally please:

* Attach portlint -AC output
* Attach poudriere testport (or bulk -t) output
* Attach `make validate` output for VuXML changes (See: 11.3.3 in Porters Handbook [1])

Also, can you explain why all of the changes are needed for SOURCES.txt and setup.py?

[1] http://www2.au.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#security-notify
Comment 3 Marco Bröder 2015-04-09 15:28:06 UTC
Created attachment 155369 [details]
py27-dulwich-0.10a.log

The changes to SOURCES.txt, MANIFEST.in and setup.py are there to disable building and installing all the tests. They are pointless to the user and several tests are broken even in upstream's environments. It does not make sense to install / run them at the moment.

For the other things, see the attached log and posted output.

# portlint -AC
WARN: Makefile: for new port, make $FreeBSD$ tag in comment section empty, to make SVN happy.
0 fatal errors and 1 warning found.

This is bogus. It is not a new port! portlint -C is more reasonable.

# portlint -C
looks fine.

The poudriere testport log file is attached.

I know the Porter's Handbook section about VuXML. There are already new entries for other ports. So I guess the patch will not apply anymore.

Btw, this whole VuXML procedure is a pain in the ass. Do not get me wrong but I unless something changes there I do not care about it in the future.

The make validate output is not attached (~ 14 MiB output), because it does not validate and never has for me with or without my patch. I do not exactly know what is wrong with it. It fails to load the external schemes and cannot validate anything. But I guess my changes are fine.

Some example output:

====

http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd:41: warning: failed to load external entity "http://www.w3.org/TR/xhtml-modularization/DTD/xhtml-datatypes-1.mod"

[...]

http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd:82: warning: failed to load external entity "http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd"

[...]

vuln.xml:59: element vuxml: validity error : No declaration for attribute xmlns of element vuxml
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
                                                ^
vuln.xml:60: element vuln: validity error : No declaration for attribute vid of element vuln
  <vuln vid="5fee3f02-de37-11e4-b7c3-001999f8d30b">

[...]

====

and so on for all lines of vuln.xml.

Just wondering if it is a new requirement for a submission to post all the logs? A committer has to test it anyway and I never had to post logs / output before. ;-)

Thank you and regards!
Comment 4 commit-hook freebsd_committer 2015-04-17 22:11:31 UTC
A commit references this bug:

Author: jbeich
Date: Fri Apr 17 22:11:16 UTC 2015
New revision: 384191
URL: https://svnweb.freebsd.org/changeset/ports/384191

Log:
  Document new Dulwich vulnerability. CVE-2015-0838

  PR:		199162
  Submitted by:	Marco Br?der (maintainer)

Changes:
  head/security/vuxml/vuln.xml
Comment 5 Jan Beich freebsd_committer 2015-04-17 22:48:21 UTC
Committed. Thanks.
Comment 6 commit-hook freebsd_committer 2015-04-17 22:48:43 UTC
A commit references this bug:

Author: jbeich
Date: Fri Apr 17 22:47:43 UTC 2015
New revision: 384194
URL: https://svnweb.freebsd.org/changeset/ports/384194

Log:
  - Update to 0.10.1a

  PR:		199162
  Submitted by:	Marco Br?der (maintainer)
  MFH:		2015Q2
  Security:	https://vuxml.freebsd.org/freebsd/e426eda9-dae1-11e4-8107-94de806b0af9.html

Changes:
  head/devel/dulwich/Makefile
  head/devel/dulwich/distinfo
  head/devel/dulwich/files/patch-MANIFEST.in
  head/devel/dulwich/files/patch-dulwich.egg-info_SOURCES.txt
  head/devel/dulwich/files/patch-dulwich.egg-info__SOURCES.txt
  head/devel/dulwich/files/patch-setup.py
Comment 7 commit-hook freebsd_committer 2015-04-17 23:06:46 UTC
A commit references this bug:

Author: jbeich
Date: Fri Apr 17 23:06:04 UTC 2015
New revision: 384195
URL: https://svnweb.freebsd.org/changeset/ports/384195

Log:
  MFH: r384194

  - Update to 0.10.1a

  PR:		199162
  Submitted by:	Marco Br?der (maintainer)
  Security:	https://vuxml.freebsd.org/freebsd/e426eda9-dae1-11e4-8107-94de806b0af9.html
  Approved by:	portmgr (erwin)

Changes:
_U  branches/2015Q2/
  branches/2015Q2/devel/dulwich/Makefile
  branches/2015Q2/devel/dulwich/distinfo
  branches/2015Q2/devel/dulwich/files/patch-MANIFEST.in
  branches/2015Q2/devel/dulwich/files/patch-dulwich.egg-info_SOURCES.txt
  branches/2015Q2/devel/dulwich/files/patch-dulwich.egg-info__SOURCES.txt
  branches/2015Q2/devel/dulwich/files/patch-setup.py