Bug 215822 - www/w3m: Update request (has known security vulnerabilities)
Summary: www/w3m: Update request (has known security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: MANTANI Nobutaka
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2017-01-06 10:52 UTC by Daniel
Modified: 2017-01-09 23:39 UTC (History)
6 users (show)

See Also:
nobutaka: maintainer-feedback+
feld: merge-quarterly+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel 2017-01-06 10:52:34 UTC
Please patch w3m, to fix the folowing CVEs:
http://www.vuxml.org/freebsd/eafa3aec-211b-4dd4-9b8a-a664a3f0917a.html

ty
Comment 1 VK freebsd_triage 2017-01-06 11:20:34 UTC
Looks like the upstream we're tracking (SF) is dead, hasn't had updates since 2011 and version 0.5.3 that we have.

Question for maintainer, could we use the Debian's GitHub repo for w3m? Looks fresh with recent fixes:

* https://github.com/tats/w3m

That's also the repo with fixes listed in the VuXML entry linked by the reporter.
Comment 2 Jason Unovitch freebsd_committer 2017-01-08 00:48:18 UTC
It does look like we would want to start using later Github release tags (https://github.com/tats/w3m/releases).  We can switch/MFH and amend the VuXML version accordingly.  Your thoughts, nobutaka@?
Comment 3 commit-hook freebsd_committer 2017-01-09 07:49:15 UTC
A commit references this bug:

Author: nobutaka
Date: Mon Jan  9 07:48:31 UTC 2017
New revision: 430919
URL: https://svnweb.freebsd.org/changeset/ports/430919

Log:
  - Update to 0.5.3.20170102.
  - Switch to code maintained by the Debian Project.
  - This version fixes multiple vulnerabilities.
  - Add LICENSE.
  - Add NLS option.
  - Change default Japanese character encoding to UTF-8.

  PR:		215822
  Reported by:	Daniel <d.stoye@cms.hu-berlin.de>
  MFH:		2017Q1
  Security:	http://www.vuxml.org/freebsd/eafa3aec-211b-4dd4-9b8a-a664a3f0917a.html

Changes:
  head/www/w3m/Makefile
  head/www/w3m/distinfo
  head/www/w3m/files/
  head/www/w3m/pkg-plist
Comment 4 MANTANI Nobutaka freebsd_committer 2017-01-09 08:09:38 UTC
Thank you Daniel, Vladimir and Jason.
I have updated w3m port to 0.5.3+git20170102 that is maintained by the Debian Project and updated the VuXML entry accordingly.
I will do MFH after I get approval to do it.
Comment 5 Daniel 2017-01-09 11:26:36 UTC
ty, it's up in the ports
Comment 6 VK freebsd_triage 2017-01-09 17:54:15 UTC
Someone please set merge-quarterly to (+), I don't have the permission yet. (and please remember to set it in teh future too, ;) )
Comment 7 commit-hook freebsd_committer 2017-01-09 18:06:06 UTC
A commit references this bug:

Author: feld
Date: Mon Jan  9 18:05:59 UTC 2017
New revision: 430994
URL: https://svnweb.freebsd.org/changeset/ports/430994

Log:
  MFH: r430919

  - Update to 0.5.3.20170102.
  - Switch to code maintained by the Debian Project.
  - This version fixes multiple vulnerabilities.
  - Add LICENSE.
  - Add NLS option.
  - Change default Japanese character encoding to UTF-8.

  PR:		215822
  Reported by:	Daniel <d.stoye@cms.hu-berlin.de>
  Security:	http://www.vuxml.org/freebsd/eafa3aec-211b-4dd4-9b8a-a664a3f0917a.html

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/www/w3m/Makefile
  branches/2017Q1/www/w3m/distinfo
  branches/2017Q1/www/w3m/files/
  branches/2017Q1/www/w3m/pkg-plist
Comment 8 Mark Felder freebsd_committer 2017-01-09 18:06:24 UTC
I took care of the MFH as I was grinding away at outstanding ports-secteam work and noticed this.
Comment 9 Brent Busby 2017-01-09 22:52:49 UTC
One last thing on this bug...

pkg-audit is reporting this when you try to install w3m:

w3m is vulnerable:
Affected versions:
<= 0.5.4
w3m -- multiple vulnerabilities
CVE: CVE-2016-9633
    <lots of CVE's...>

The fix was in www/w3m 0.5.3.20170102, but the vulnerability database will not be satisfied until there's a version 0.5.4 (which may never happen now that we're following the fork).  The VuXML database may need to be updated.
Comment 10 Mark Felder freebsd_committer 2017-01-09 23:25:52 UTC
Your vuxml database is just out of date. Try pkg audit -F first ?

It was changed to be <0.5.3.20170102
Comment 11 Brent Busby 2017-01-09 23:39:04 UTC
(In reply to Mark Felder from comment #10)

You're quite right...thanks...