Bug 221989 - graphics/gdk-pixbuf2 is vulnerable
Summary: graphics/gdk-pixbuf2 is vulnerable
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-gnome mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-02 00:47 UTC by Alaksiej Čarniajeŭ
Modified: 2017-09-25 13:43 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (gnome)


Attachments
Proposed patch (since 449061 revision) (2.67 KB, patch)
2017-09-02 02:52 UTC, lightside
no flags Details | Diff
Proposed patch (since 449061 revision) (3.48 KB, patch)
2017-09-02 14:39 UTC, lightside
lightside: maintainer-approval? (gnome)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alaksiej Čarniajeŭ 2017-09-02 00:47:36 UTC
According to this http://blog.talosintelligence.com/2017/08/vuln-spotlight-multiple-gdk.html version 2.36.6 (currently available in ports) contains two remote code execution vulnerabilities.
Comment 1 lightside 2017-09-02 02:52:45 UTC
Created attachment 185982 [details]
Proposed patch (since 449061 revision)

Hello Alaksiej Čarniajeŭ.
I also reported about this issue to maintainer and FreeBSD security team.

Attached some patch to update graphics/gdk-pixbuf2 port from 2.36.6 to 2.36.9 version.

Look following link for changes:
https://git.gnome.org/browse/gdk-pixbuf/tree/NEWS?h=2.36.9

- Pet portlint about USES
- Add shared-mime-info to USES [*]
- Replace files/patch-Makefile.in with sed patch
- Replace $LIBTIFF with $TIFF_LIBS variables in ${WRKSRC}/configure, which fixes libpixbufloader-tiff.so build
- Adapt pkg-plist

* - For some reason the build started to require shared-mime-info dependency: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=2c2162c86d4f710007cfffbc582a1f0ce8740725

The build was tested on FreeBSD 10.3 amd64.
Comment 2 lightside 2017-09-02 14:39:35 UTC
Created attachment 185989 [details]
Proposed patch (since 449061 revision)

Returned PKGNAMESUFFIX, which I mistakenly removed.
Fixed portlint's warning about env.
Added following patch after 2.36.9 version:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=853c60427f7ebb6b9cdfd142923167af70f13536
Comment 3 commit-hook freebsd_committer 2017-09-02 22:15:32 UTC
A commit references this bug:

Author: kwm
Date: Sat Sep  2 22:15:02 UTC 2017
New revision: 449164
URL: https://svnweb.freebsd.org/changeset/ports/449164

Log:
  Update gdk-pixbuf2 to 2.36.9.

  * Move USES before USE_*, according to porters handbook [1]
  * Add depend on shared-mime-info, due to configure checking for it now.
  * Work around a bug in configure where tiff support isn't correctly
    enabled, resulting in the tiff loader not being build.
  * Regen patch with make makepatch

  PR:		221989
  Submitted by:	lightside@gmx.com
  Reported by:	 Alaksiej Carniajeu <a@carniajeu.com>, portlint [1]
  MFH:		2017Q3
  Security:	CVE-2017-2870, CVE-2017-2862

Changes:
  head/graphics/gdk-pixbuf2/Makefile
  head/graphics/gdk-pixbuf2/distinfo
  head/graphics/gdk-pixbuf2/files/patch-Makefile.in
  head/graphics/gdk-pixbuf2/pkg-plist