Bug 225772 - [PATCH] sysutils/bchunk: update to 1.2.2 which fixes three CVEs from 2017 and take maintainership
Summary: [PATCH] sysutils/bchunk: update to 1.2.2 which fixes three CVEs from 2017 an...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Yuri Victorovich
URL: https://reviews.freebsd.org/D14308
Keywords: patch
Depends on:
Blocks:
 
Reported: 2018-02-08 21:07 UTC by Kai
Modified: 2018-02-17 20:26 UTC (History)
1 user (show)

See Also:


Attachments
Patch to v1.2.2 (1.02 KB, patch)
2018-02-08 21:07 UTC, Kai
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kai 2018-02-08 21:07:27 UTC
Created attachment 190442 [details]
Patch to v1.2.2

This patch updates bchunk to version 1.2.2 which contains following security fixes:

- CVE-2017-15953 and CVE-2017-15954, a heap-based buffer overflow.
- CVE-2017-15955, Access violation near NULL on destination operand and crash when processing a malformed CUE (.cue) file.

Following bugfixes/improvements were done:
- Fix wrong track size calculation when having multiple tracks in one image 
- Clarified manual page for input/output file types.


QA:
~~~
- portlint -A -> OK
- poudriere (11.1-RELEASE i386 and amd64) -> OK
Comment 1 Yuri Victorovich freebsd_committer 2018-02-10 19:18:10 UTC
Will take some time to create security/vuxml/vuln.xml records.
Comment 2 Yuri Victorovich freebsd_committer 2018-02-10 20:42:25 UTC
Submitter, please note the odd e-mail in your account.
Different from the one in the MAINTAINER field.
Comment 3 Kai 2018-02-10 20:59:03 UTC
(In reply to Yuri Victorovich from comment #2)

Hello Yuri,

thank you for your information about the mail addresses. The address in the MAINTAINER field is correct and will be used for further ports contributions in the future.

The "odd" mail address is only used for the bugzilla account.
Comment 4 Yuri Victorovich freebsd_committer 2018-02-10 21:02:04 UTC
(In reply to owk from comment #3)

Thanks!

In general, the person submitting the bug report with change of MAINTAINER should be the same person as a new maintainer. Somebody might have some doubts in this case. The domain is the same, but names are different. I think it should be ok in this case.

Cheers,
Yuri
Comment 5 Kai 2018-02-10 21:19:56 UTC
(In reply to Yuri Victorovich from comment #4)

Hello Yuri,

hrm, that sounds reasonable. Well, I've changed the mail address of the bugzilla account to the address as given in the MAINTAINER field.
--
Cheers
Kai
Comment 6 Yuri Victorovich freebsd_committer 2018-02-10 21:22:13 UTC
(In reply to owk from comment #5)

Thanks!
Comment 7 commit-hook freebsd_committer 2018-02-13 23:49:55 UTC
A commit references this bug:

Author: yuri
Date: Tue Feb 13 23:49:51 UTC 2018
New revision: 461759
URL: https://svnweb.freebsd.org/changeset/ports/461759

Log:
  sysutils/bchunk: Update to 1.2.2

  Changelog is in:
  http://he.fi/bchunk/

  freebsd_ports@k-worx.org took maintainership

  Additional port changes:
  * Changed to DISTVERSION
  * Added LICENSE/LICENSE_FILE
  * Silenced do-build

  PR:		225772
  Submitted by:	owk <freebsd_ports@k-worx.org>
  Approved by:	tcberner (mentor, implicit)

Changes:
  head/sysutils/bchunk/Makefile
  head/sysutils/bchunk/distinfo
Comment 8 Yuri Victorovich freebsd_committer 2018-02-13 23:50:10 UTC
Committed with some changes.

Thank you for taking maintainership!
Comment 9 commit-hook freebsd_committer 2018-02-17 20:26:30 UTC
A commit references this bug:

Author: yuri
Date: Sat Feb 17 20:25:49 UTC 2018
New revision: 462192
URL: https://svnweb.freebsd.org/changeset/ports/462192

Log:
  MFH: r461759

  sysutils/bchunk: Update to 1.2.2

  Changelog is in:
  http://he.fi/bchunk/

  freebsd_ports@k-worx.org took maintainership

  Additional port changes:
  * Changed to DISTVERSION
  * Added LICENSE/LICENSE_FILE
  * Silenced do-build

  PR:		225772
  Submitted by:	owk <freebsd_ports@k-worx.org>
  Approved by:	tcberner (mentor, implicit)
  Approved by:	ports-secteam
  Security:	CVE-2017-15953, CVE-2017-15954, CVE-2017-15955

Changes:
_U  branches/2018Q1/
  branches/2018Q1/sysutils/bchunk/Makefile
  branches/2018Q1/sysutils/bchunk/distinfo