Bug 200631 - www/tidy-devel: buffer overflow
Summary: www/tidy-devel: buffer overflow
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Thierry Thomas
Depends on:
Reported: 2015-06-04 11:04 UTC by Walter Hop
Modified: 2018-10-30 17:25 UTC (History)
5 users (show)

See Also:
thierry: maintainer-feedback+

security/vuxml update for CVE assignment (653 bytes, patch)
2015-07-15 02:04 UTC, Jason Unovitch
junovitch: maintainer-approval? (thierry)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Walter Hop 2015-06-04 11:04:40 UTC
A security issue (buffer overflow in parsing HTML) has been fixed in tidy 4.9.31.


It seems there are a few versions of tidy in the ports tree:
- www/tidy-html5 is tidy 4.9.30, which should be bumped to 4.9.31
- www/tidy-devel is libtidy-0.99 or tidy 090315-cvs on sourceforge, which looks abandoned since 2009
- www/tidy-lib just depends on tidy-devel
- www/tidy is tidy 20000804, and looks abandoned since 2000

If I parse the github issue correctly:
- www/tidy-html5 is vulnerable
- www/tidy-devel is vulnerable. It has the affected code part in tmbstr.c. Bug report says: "I can confirm this BUG exists in the 2008/9 libtidy.0.99.so last release, the sourceforge cvs tidy, which is still present in some distributions. Just the quite unique nature of using 'code' ending in spaces or a newline just before an attribute with a 'blank' value prevents it from being seens more often."
- www/tidy seems NOT vulnerable. It does not seem to have the affected code snippet. Bug report says: "Interestingly, it is NOT present in TidyAug2000 [...]"

The solution for www/tidy-html5 seems a trivial version bump, but the www/tidy-devel upstream seems unmaintained, so we possibly should add a patch.

Alternatively, if tidy-html5 is more-or-less a drop-in replacement for tidy-devel, it might be a good moment to get rid of the unmaintained www/tidy and www/tidy-devel ports.
Comment 1 commit-hook freebsd_committer 2015-06-08 17:00:28 UTC
A commit references this bug:

Author: thierry
Date: Mon Jun  8 16:59:41 UTC 2015
New revision: 388845
URL: https://svnweb.freebsd.org/changeset/ports/388845

  Upgrade to 5.9.32.

  This fixes a security problem (heap-buffer-overflow):
  see https://github.com/htacg/tidy-html5/issues/217

  PR:		ports/200631
  Submitted by:	Walter Hop
  Security:	https://github.com/htacg/tidy-html5/issues/217

Comment 2 Thierry Thomas freebsd_committer 2015-06-08 17:09:28 UTC
www/tidy-html5 has been upgraded to the latest release (4.9.32).
I have a plan to make it the default tidy (see PR ports/198138), but it is still considered as beta ATM.

A patch for www/tidy-devel would be appreciated (and surely for www/tidy too!).

It seems that www/tidy (the legacy version) is still used by textproc/p5-EBook-Tools and I don't know if it could be replaced by a modern version (dinoex@ is Cc:'ed).
Comment 3 commit-hook freebsd_committer 2015-06-08 17:31:34 UTC
A commit references this bug:

Author: thierry
Date: Mon Jun  8 17:30:49 UTC 2015
New revision: 388847
URL: https://svnweb.freebsd.org/changeset/ports/388847

  Add an entry for www/tidy-* heap-buffer-overflow.

  PR:		ports/200631
  Submitted by:	Walter Hop

Comment 4 commit-hook freebsd_committer 2015-06-08 18:06:37 UTC
A commit references this bug:

Author: thierry
Date: Mon Jun  8 18:06:09 UTC 2015
New revision: 388849
URL: https://svnweb.freebsd.org/changeset/ports/388849

  Backport the fix from www/tidy-html5.

  PR:		ports/200631
  Submitted by:	Walter Hop
  Security:	VuXML: bd1ab7a5-0e01-11e5-9976-a0f3c100ae18

Comment 5 commit-hook freebsd_committer 2015-06-16 16:53:13 UTC
A commit references this bug:

Author: thierry
Date: Tue Jun 16 16:52:52 UTC 2015
New revision: 389854
URL: https://svnweb.freebsd.org/changeset/ports/389854

  MFH: r388849

  Backport the fix from www/tidy-html5.

  PR:		ports/200631
  Submitted by:	Walter Hop
  Security:	VuXML: bd1ab7a5-0e01-11e5-9976-a0f3c100ae18
  Approved by:	ports-secteam (implicit)
  Reminded by:	Fabiano Sidler

_U  branches/2015Q2/
Comment 6 Jason Unovitch freebsd_committer 2015-07-15 02:04:44 UTC
Created attachment 158783 [details]
security/vuxml update for CVE assignment

- Document assignment of CVE-2015-5522 and CVE-2015-5523 for tidy heap buffer overflow

Reference Mitre's cve-assign:
Comment 7 commit-hook freebsd_committer 2015-07-15 15:20:27 UTC
A commit references this bug:

Author: feld
Date: Wed Jul 15 15:19:54 UTC 2015
New revision: 392155
URL: https://svnweb.freebsd.org/changeset/ports/392155

  Reference another URL for tidy's CVE

  PR:		200631
  Security:	bd1ab7a5-0e01-11e5-9976-a0f3c100ae18

Comment 8 Mark Felder freebsd_committer 2015-07-15 15:20:54 UTC
Is there anything else outstanding or can this bug be closed?
Comment 9 Thierry Thomas freebsd_committer 2015-07-15 16:43:50 UTC
(In reply to Mark Felder from comment #8)

Yes: the original www/tidy should be patched or removed!
Cc: dinoex
Comment 10 Jason Unovitch freebsd_committer 2015-07-20 02:16:19 UTC
(In reply to Mark Felder from comment #8)

textproc/p5-EBook-Tools uses www/tidy as a runtime dep.  Interestingly enough this functionality is currently broken.  See below.

# ebook tidyxml /usr/ports/security/vuxml/vuln.xml 
Can't exec "tidy": No such file or directory at /usr/local/lib/perl5/site_perl/EBook/Tools.pm line 6812.
Tidy did something unexpected (return value=-1).  Check all output. at /usr/local/bin/ebook line 1383.

I just open bug 201703 with a patch to update the port's dependency to use www/tidy-html5 along with ensuring that tidy actually works.  While there, I went ahead and updated it to the latest 0.5.4 version.  Once that is done we could consider www/tidy for removal.
Comment 11 Jason Unovitch freebsd_committer 2015-08-11 22:20:51 UTC
(In reply to Jason Unovitch from comment #10)

Bug 201703 for textproc/p5-EBook-Tools is closed so that is one less dependency blocking a removal of the old www/tidy port.  I didn't notice on my first look that www/bluefish also refers to www/tidy.
Comment 12 Walter Schwarzenfeld freebsd_triage 2018-01-12 07:51:20 UTC
This is surely overcome by events or fixed and can be closed.