"pkg audit" has been reporting: linux-c6-xorg-libs-7.4_3 is vulnerable: libXfont -- BDF parsing issues CVE: CVE-2015-1804 CVE: CVE-2015-1803 CVE: CVE-2015-1802 WWW: https://vuxml.FreeBSD.org/freebsd/f7d79fac-cd49-11e4-898f-bcaec565249c.html for quite some time now. It appears that the underlying vulnerability has been fixed by Red Hat since September: https://rhn.redhat.com/errata/RHSA-2015-1708.html#Red%20Hat%20Enterprise%20Linux%20Desktop%20%28v.%206%29 and made it into the CentOS patch repository on the same day: http://mirror.centos.org/centos/6/updates/i386/Packages/libXfont-1.4.5-5.el6_7.i686.rpm Is it possible to get this fix merged into our linux-c6-xorg-libs port? Also, the vuln.xml entry needs to be updated after this, as it wildcards all versions of linux-c6-xorg-libs as vulnerable with <range><ge>*</ge></range>.
Created attachment 164982 [details] [patch] update centos 6.6->6.7 (partial) The attached patch updates Mk/bsd.linux-rpm.mk and x11/linux-c6-xorg-libs to use the centos 6.7 rpms (and bump PORTREVISION). But if this is the way to go, it's just a start... To do: (1) Identify / update other ports affected by updating LINUX_DIST_VER to 6.7 (distinfo updates). (2) exp run to verify all's well after (1) - run with DISABLE_VULNERABILITIES=1 until (3) is done. (3) After updating to centos 6.7 rpms, update vuxml database entry as mentioned in the original description for this bug such that xorg-libs-7.4_4 is not marked vulnerable.
The patch attached above will fail for every port *but* linux-c6-xorg-libs, as the paths listed in distinfo.(i386,x86_64) have changed in every port due to the LINUX_DIST_VER modification. I recommend you look instead into the patch we're preparing - https://reviews.freebsd.org/D3428.
Re: comment 2 ... Yes, I know it will affect all other ports that use LINUX_DIST_VER, which is why I tried to explain that clearly in comment 1 (and why the patch is "partial"). I was not aware of https://reviews.freebsd.org/D3428 which looks like it addresses exactly what I described needs to be done in comment 1 - thanks for pointing it out. Those who visit this bug are encouraged to test the patches in that review and report success or problems.
Looks like this is fixed by: r407537 | miwi | 2016-01-30 13:30:40 -0500 (Sat, 30 Jan 2016) | 14 lines Welcome Centos 6.7 - Upgrade all linux-c6- to CentOS 6.7 - Cleanups PR: 205846 Submitted by: xmj In Collaboration with: allanjude, netchild, xmj Exp-run: antoine Sponsored by: Perceivon Hosting Inc. Differential Revision: D3428 We'd like to thanks for all the feedback and comments. ------------------------------------------------------------------------ and subsequent: r407604 | miwi | 2016-01-31 05:00:14 -0500 (Sun, 31 Jan 2016) | 5 lines - Fix x11/linux-c6-xorg-libs entry as fixed - Also fix modify date Reported by: Terry Kennedy <TERRY@glaver.org> ------------------------------------------------------------------------