Bug 215811 - x11/xscreensaver-gnome{-hacks}: Update to 5.36
Summary: x11/xscreensaver-gnome{-hacks}: Update to 5.36
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords: needs-qa
Depends on:
Blocks:
 
Reported: 2017-01-05 23:10 UTC by John Hein
Modified: 2019-10-16 15:08 UTC (History)
6 users (show)

See Also:


Attachments
[patch] update to 5.36 (28.92 KB, patch)
2017-01-05 23:10 UTC, John Hein
no flags Details | Diff
patch-5.35-to-5.36 (3.76 KB, patch)
2017-03-29 17:28 UTC, Kurt Jaeger
no flags Details | Diff
Improved patch for update to 5.36 (28.90 KB, patch)
2019-01-01 17:26 UTC, Andrew
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Hein 2017-01-05 23:10:25 UTC
Created attachment 178565 [details]
[patch] update to 5.36

x11/xscreensaver-gnome and x11/xscreensaver-gnome-hacks currently have security vulnerabilities [1].

The attached patch updates from 5.12 (quite old) to 5.36 (this is separate from the update in bug 213575 for plain xscreensaver, which is in timeout waiting for a committer).

The patch features:
 - update plist - additions for new version & sort
 - add license (essentially a variant of MIT / X11)
 - refresh a couple patches

Some ports can depend on this (e.g., mate-screensaver), so they are indirectly affected by the vulnerabilities in the old version.

QA for both xscreensaver-gnome and slave xscreensaver-gnome-hacks:
 - stage-qa (ok)
 - portlint (ok - no new warnings)
 - poudriere testport (ok - 9/i386-stable, 10/amd64-stable)


[1] https://vuxml.FreeBSD.org/freebsd/4b9393b8-7c0c-11e5-a010-080027ddead3.html
Comment 1 Bartek Rutkowski freebsd_committer 2017-03-28 17:48:15 UTC
The patch fails to apply cleanly, could you please fix the issues and submit updated one?
Comment 2 Kurt Jaeger freebsd_committer 2017-03-29 17:28:39 UTC
Created attachment 181296 [details]
patch-5.35-to-5.36

This patch testbuilds fine.
Comment 3 Kurt Jaeger freebsd_committer 2017-03-29 17:29:29 UTC
Comment on attachment 181296 [details]
patch-5.35-to-5.36

Ups this is not for the -gnome variants.
Comment 4 Andrew 2019-01-01 16:04:29 UTC
Confirmed the patch does not apply cleanly. The reported problem is:

|Index: x11/xscreensaver-gnome/Makefile
|===================================================================
|--- x11/xscreensaver-gnome/Makefile	(revision 430548)
|+++ x11/xscreensaver-gnome/Makefile	(working copy)
--------------------------
Patching file x11/xscreensaver-gnome/Makefile using Plan A...
Hunk #1 failed at 3.
Hunk #2 succeeded at 11.
Hunk #3 failed at 20.
2 out of 3 hunks failed--saving rejects to x11/xscreensaver-gnome/Makefile.rej

The first hunk apparently fails because of

-PORTREVISION?=	4

at line 7, which has since been bumped and should be

-PORTREVISION?= 5

The third hunk apparently fails because line 21,

USE_PERL5=	run

is in the patch's context but isn't in the distributed Makefile since bug #233138.

There was also a

Patching file x11/xscreensaver-gnome-hacks/Makefile using Plan A...
Hunk #1 succeeded at 2 with fuzz 1.

but it's not significant.
Comment 5 Andrew 2019-01-01 17:26:03 UTC
Created attachment 200679 [details]
Improved patch for update to 5.36

The attached patch, which is just a slightly adjusted version of the previous one, applies, builds and runs for me on 11.2-RELEASE.

Of course, xscreensaver 5.36 still nags me about it being an old version (which it is), but one thing at a time...
Comment 6 Kurt Jaeger freebsd_committer 2019-01-01 17:30:47 UTC
https://www.jwz.org/xscreensaver/download.html
says 5.42 is the most recent version. Can you try to update to that version ?
Comment 7 John Hein 2019-01-01 18:46:01 UTC
The original patch applied cleanly at 2017-03-29.  I'm not sure why Bartek had trouble then.  And I guess I missed his comment back then.  Maybe he didn't notice that the patch was for two different ports (x11/xscreensaver-gnome and x11/xscreensaver-gnome-hacks).  If you applied it with 'cd ports/x11/xscreensaver-gnome ; patch < attachment-178565', then it would have failed (but 'cd ports; patch < attachment-178565' worked fine back then).

Of course, since then the motion in the tree has made the patch out of date as Andrew observed.  And Andrew's updated patch looks good to me for 5.36.

I'll look at refreshing for 5.42 (although the x11/xscreensaver port is only at 5.40) if Andrew doesn't beat me to it.
Comment 8 Andrew 2019-01-03 00:59:06 UTC
I can certainly look into bringing these up to current. I'm new to porting and it seems like a good opportunity to practice.

However, given that 5.12 still has a vulnerability (as mentioned by John in the original PR) I suggest it would be better to take the patch to 5.36 now, and get that resolved now, before working on the next version. There aren't any major changes mentioned in the changelog between 5.36 and 5.42 (a few new "hacks," i.e. screen savers, and some improvement to font handling) and I would hate to further delay fixing the vulnerability over that.
Comment 9 Walter Schwarzenfeld freebsd_triage 2019-08-08 08:26:50 UTC
x11/xscreensaver-gnome{-hacks} - both ports marked BROKEN - unfetchable.
Comment 10 Rene Ladan freebsd_committer 2019-10-16 15:08:46 UTC
No response for a while and this port expired, so removed.