Comment 1 Kai Knoblich 2018-03-10 00:33:29 UTC

Created attachment 191362 [details]
Patch for 0.13.68 - revision 2

The new revision fixes also the WWW information.

Comment 2 Kai Knoblich 2018-03-17 14:00:16 UTC

Created attachment 191575 [details]
Patch for zziplib 0.13.69

Hello,

zziplib 0.13.69 has been released recently. This update fixes the CVEs from the 0.13.68 release.

The full changelog is here:

https://github.com/gdraheim/zziplib/releases/tag/v0.13.69

QA:
~~~
- poudriere (11.1R amd64 + i386) -> OK
- portlint -> OK

Comment 3 Yuri Victorovich 2018-03-27 22:28:04 UTC

> Some days ago there were four new CVEs created which are unresolved at the moment

If to enter such CVEs into VuXML, this would block devel/zziplib entirely because it will be officially vulnerable.

Comment 4 Yuri Victorovich 2018-03-27 22:35:42 UTC

https://github.com/gdraheim/zziplib/issues/50

Comment 5 Kai Knoblich 2018-03-28 16:33:05 UTC

(In reply to Yuri Victorovich from comment #4)

Upstream has given a official statement, that the current release, v0.13.69 has no known CVEs at the moment.

I have checked this against the CVE database (cvs.mitre.org) and those in the v0.13.68 were fixed so v0.13.69 should be non-vulnerable at the moment.

The patch for v0.13.69 is already attached and ready to land.
--
Cheers
Kai

Comment 6 Yuri Victorovich 2018-03-28 16:39:53 UTC

All fixed CVEs need to be entered into security/vuxml/vuln.xml with versions and dates.

Comment 7 Kai Knoblich 2018-03-28 19:02:26 UTC

Created attachment 191915 [details]
zziplib-vuln.xml

So, the vuln.xml should be actual in no time with the attached diff.

Comment 8 Kai Knoblich 2018-07-06 17:03:09 UTC

Created attachment 194919 [details]
zziplib-0.13.69-rev2.patch

Rebased patch after r465870 .

Comment 9 Kai Knoblich 2018-07-06 17:41:12 UTC

Created attachment 194920 [details]
zziplib-vuln-rev2.xml

Rebased vuln.xml after r473963 .

Comment 10 commit-hook 2018-07-06 17:58:42 UTC

A commit references this bug:

Author: miwi
Date: Fri Jul  6 17:57:49 UTC 2018
New revision: 474027
URL: https://svnweb.freebsd.org/changeset/ports/474027

Log:
  - Update to 0.13.68
  - Security fixes for:
  - CVE-2017-5974
  - CVE-2017-5975
  - CVE-2017-5976
  - CVE-2017-5979
  - CVE-2017-5980
  - CVE-2017-5981
  - CVE-2017-5977
  - CVE-2018-6381
  - CVE-2018-6484
  - CVE-2018-6540
  - CVE-2018-6541
  - CVE-2018-6542
  - CVE-2018-6869
  - CVE-2018-7725
  - CVE-2018-7726
  - CVE-2018-7727

  PR:	226491
  Submitted by:	maintainer
  MFH:	2018Q3

Changes:
  head/devel/zziplib/Makefile
  head/devel/zziplib/distinfo
  head/devel/zziplib/files/patch-configure
  head/devel/zziplib/files/patch-zzip_Makefile.in
  head/devel/zziplib/pkg-descr
  head/devel/zziplib/pkg-plist

Comment 11 commit-hook 2018-07-06 18:06:50 UTC

A commit references this bug:

Author: miwi
Date: Fri Jul  6 18:05:52 UTC 2018
New revision: 474029
URL: https://svnweb.freebsd.org/changeset/ports/474029

Log:
  MFH: r474027 r474028

  - Update to 0.13.68
  - Security fixes for:
  - CVE-2017-5974
  - CVE-2017-5975
  - CVE-2017-5976
  - CVE-2017-5979
  - CVE-2017-5980
  - CVE-2017-5981
  - CVE-2017-5977
  - CVE-2018-6381
  - CVE-2018-6484
  - CVE-2018-6540
  - CVE-2018-6541
  - CVE-2018-6542
  - CVE-2018-6869
  - CVE-2018-7725
  - CVE-2018-7726
  - CVE-2018-7727

  PR:	226491
  Submitted by:	maintainer

  - Added/RM missing patches

  Approved by: ports-secteam

Changes:
_U  branches/2018Q3/
  branches/2018Q3/devel/zziplib/Makefile
  branches/2018Q3/devel/zziplib/distinfo
  branches/2018Q3/devel/zziplib/files/patch-configure
  branches/2018Q3/devel/zziplib/files/patch-docs_Makefile.in
  branches/2018Q3/devel/zziplib/files/patch-docs_dbk2man.py
  branches/2018Q3/devel/zziplib/files/patch-zzip_Makefile.in
  branches/2018Q3/devel/zziplib/pkg-descr
  branches/2018Q3/devel/zziplib/pkg-plist

Comment 12 Martin Wilke 2018-07-06 18:08:12 UTC

Committed, vuxml entry is still missing, will combined it to one entry.

Comment 13 Kai Knoblich 2018-07-06 19:24:17 UTC

Created attachment 194922 [details]
zziplib-vuln-rev3.xml

Compressed all CVEs into one vuxml entry.

update failed with:
 "unix man format of the manpages - goes to ../share/man/man3"
going to regenerate manpages.tar in subdir 'man'
test ! -d man3 || rm man3/* ; test -d man3 || mkdir man3
/usr/local/bin/xmlto -o man3 man zziplib.xml
xmlto: /ram/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs/zziplib.xml does not validate (status 3)
xmlto: Fix document syntax or use --skip-validation option
I/O error : Attempt to load network entity http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd
/ram/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs/zziplib.xml:2: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
       "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
                                                                  ^
I/O error : Attempt to load network entity http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd
warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
validity error : Could not load the external subset "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
Document /ram/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs/zziplib.xml does not validate
*** [manpages.tar] Error code 13

make[4]: stopped in /ram/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs
1 error

put back
 	 CONFIGURE_ENV=  ac_cv_path_XMLTO=":"

in the Makefile solves it.

Comment 15 Kai Knoblich 2018-07-06 21:51:09 UTC

(In reply to w.schwarzenfeld from comment #14)

Hello Walter,

thanks for your info. I cannot reproduce the problem with poudriere at the moment and I did a comparison of the buildlogs. It seems that the Python script "dbk2man.py" is not invoked at your build for some yet unknown reason.

Below is the partial output of the related sections where the building of the manpages did start (11.2-RELEASE amd64): 

> [...]
> "unix man format of the manpages - goes to ../share/man/man3"
> going to regenerate manpages.tar in subdir 'man'
> test ! -d man3 || rm man3/* ; test -d man3 || mkdir man3
> ./dbk2man.py -d man3 zziplib.xml
> ./dbk2man.py -d man3 zzipmmapped.xml
> ./dbk2man.py -d man3 zzipfseeko.xml
> chmod 664 man3/*.3
> /bin/pax -w -O -f "manpages.tar" man3/
> echo deleting...; rm man3/*.3 ; rmdir man3
> deleting...
> cp manpages.tar zziplib-manpages.tar (saved)
> [...]

see Bug 229572  - same errror,

(In reply to Kai from comment #15)

Cannot find "dbk2man.py". Looks missing dependency.
In which port is it included?
Or exist only your system as not-yet-committed port?
  `find /usr/ports/ -name "pkg-plist*" | xargs grep -n "dbk2man"`
doesn't find anything. (Possibly auto-plist ones, though.)

In addition, proposed fix by w.schwarzenfeld@utanet.at helped.

find /usr/ports/devel/zziplib/work/zziplib-0.13.69/* -name dbk2man.py
/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs/dbk2man.py

and
files/patch-docs_dbk2man.py

The file is only need for build.

(In reply to Kai from comment #15)
Yes, it builds with poudriere. But it does not build with portmaster and port.

Comment 21 Kai Knoblich 2018-07-07 05:10:22 UTC

(In reply to w.schwarzenfeld from comment #20)

I think I've found the root cause:

If textproc/xmlto is installed the build will fail because the configure environment uses then xmlto instead of the dbk2man.py script to generate the man pages.

Thus your suggested workaround to put back the CONFIGURE_ENV variable is required to remedy the problem in build enviroments where textproc/xmlto is installed.

I will generate a patch shortly after this message.

Comment 22 Kai Knoblich 2018-07-07 05:35:25 UTC

Created attachment 194926 [details]
zziplib-fix-xmlto.patch / to be applied after r474027

This patch re-adds CONFIGURE_ENV back to make builds possible in environments where textproc/xmlto is installed after r474027 was committed.


QA:
~~~
- poudriere (11.2-RELEASE amd64 + i386) -> OK
- portlint -> OK
- portmaster zziplib (with and without textproc/xmlto installed) -> OK

Created attachment 194927 [details]
new-patch-configure

You can include it in the patch-configure.

Comment 24 commit-hook 2018-07-07 06:56:11 UTC

A commit references this bug:

Author: miwi
Date: Sat Jul  7 06:55:42 UTC 2018
New revision: 474059
URL: https://svnweb.freebsd.org/changeset/ports/474059

Log:
  - Fix build when textproc/xmlto is installed in a local env.
  - Bump PORTREVISION

  PR:		226491 229572
  MFH:		2018Q3
  Sponsored by:	iXsystems Inc.

Changes:
  head/devel/zziplib/Makefile

Comment 25 commit-hook 2018-07-07 07:00:20 UTC

A commit references this bug:

Author: miwi
Date: Sat Jul  7 06:59:42 UTC 2018
New revision: 474060
URL: https://svnweb.freebsd.org/changeset/ports/474060

Log:
  aMFH: r474059

  - Fix build when textproc/xmlto is installed in a local env.
  - Bump PORTREVISION

  PR:		226491 229572
  Sponsored by:	iXsystems Inc.

  Approved by:	ports-secteam

Changes:
_U  branches/2018Q3/
  branches/2018Q3/devel/zziplib/Makefile

Comment 26 Kai Knoblich 2018-07-09 06:36:37 UTC

Created attachment 194977 [details]
zziplib-vuln-rev4.xml

Rebased vuln.xml after r474226.

Comment 27 commit-hook 2018-07-09 08:20:27 UTC

A commit references this bug:

Author: miwi
Date: Mon Jul  9 08:19:47 UTC 2018
New revision: 474238
URL: https://svnweb.freebsd.org/changeset/ports/474238

Log:
  - Document devel/zziplib - multible vulnerabilities

  PR:		226491
  Sponsored by:	iXsystems Inc.

Changes:
  head/security/vuxml/vuln.xml