Bug 226491 - [PATCH] devel/zziplib: update to 0.13.69 which fixes multiple CVEs
Summary: [PATCH] devel/zziplib: update to 0.13.69 which fixes multiple CVEs
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Martin Wilke
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2018-03-10 00:15 UTC by Kai Knoblich
Modified: 2018-07-09 08:20 UTC (History)
4 users (show)

See Also:
kai: maintainer-feedback+


Attachments
Patch for zziplib v0.13.68 (5.03 KB, patch)
2018-03-10 00:15 UTC, Kai Knoblich
kai: maintainer-approval+
Details | Diff
Patch for 0.13.68 - revision 2 (5.39 KB, patch)
2018-03-10 00:33 UTC, Kai Knoblich
kai: maintainer-approval+
Details | Diff
Patch for zziplib 0.13.69 (8.20 KB, patch)
2018-03-17 14:00 UTC, Kai Knoblich
kai: maintainer-approval+
Details | Diff
zziplib-vuln.xml (16.71 KB, text/plain)
2018-03-28 19:02 UTC, Kai Knoblich
kai: maintainer-approval+
Details
zziplib-0.13.69-rev2.patch (8.43 KB, patch)
2018-07-06 17:03 UTC, Kai Knoblich
kai: maintainer-approval+
Details | Diff
zziplib-vuln-rev2.xml (16.73 KB, text/plain)
2018-07-06 17:41 UTC, Kai Knoblich
kai: maintainer-approval+
Details
zziplib-vuln-rev3.xml (5.97 KB, text/plain)
2018-07-06 19:24 UTC, Kai Knoblich
kai: maintainer-approval+
Details
zziplib-fix-xmlto.patch / to be applied after r474027 (502 bytes, patch)
2018-07-07 05:35 UTC, Kai Knoblich
kai: maintainer-approval+
Details | Diff
new-patch-configure (1.48 KB, patch)
2018-07-07 06:29 UTC, Walter Schwarzenfeld
no flags Details | Diff
zziplib-vuln-rev4.xml (5.97 KB, text/plain)
2018-07-09 06:36 UTC, Kai Knoblich
kai: maintainer-approval+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kai Knoblich freebsd_committer freebsd_triage 2018-03-10 00:15:18 UTC
Created attachment 191360 [details]
Patch for zziplib v0.13.68

Hello, 

attached is the patch which updates the port to 0.13.68 and fixes also following CVEs:

For version 0.13.62:

- CVE-2017-5974
- CVE-2017-5975
- CVE-2017-5976
- CVE-2017-5979
- CVE-2017-5980
- CVE-2017-5981

For version 0.13.67:

- CVE-2017-5977

For version 0.13.68:

- CVE-2018-6381
- CVE-2018-6484
- CVE-2018-6540
- CVE-2018-6541
- CVE-2018-6542

Some days ago there were four new CVEs created which are unresolved at the moment:

- CVE-2018-6869 	
- CVE-2018-7725
- CVE-2018-7726
- CVE-2018-7727

Thus the chances are high that there will be a new release of zziplib from upstream in near future.


Changes to the port:
- the project moved from SF to GitHub
- removed no longer required entries from USES
- added textproc/xmlto to BUILD_DEPEND 
- completed/fixed license info

QA:
~~~
- poudriere (11.1Ramd64 + i386) -> OK
- portlint -> OK
Comment 1 Kai Knoblich freebsd_committer freebsd_triage 2018-03-10 00:33:29 UTC
Created attachment 191362 [details]
Patch for 0.13.68 - revision 2

The new revision fixes also the WWW information.
Comment 2 Kai Knoblich freebsd_committer freebsd_triage 2018-03-17 14:00:16 UTC
Created attachment 191575 [details]
Patch for zziplib 0.13.69

Hello,

zziplib 0.13.69 has been released recently. This update fixes the CVEs from the 0.13.68 release.

The full changelog is here:

https://github.com/gdraheim/zziplib/releases/tag/v0.13.69

QA:
~~~
- poudriere (11.1R amd64 + i386) -> OK
- portlint -> OK
Comment 3 Yuri Victorovich freebsd_committer freebsd_triage 2018-03-27 22:28:04 UTC
> Some days ago there were four new CVEs created which are unresolved at the moment

If to enter such CVEs into VuXML, this would block devel/zziplib entirely because it will be officially vulnerable.
Comment 4 Yuri Victorovich freebsd_committer freebsd_triage 2018-03-27 22:35:42 UTC
https://github.com/gdraheim/zziplib/issues/50
Comment 5 Kai Knoblich freebsd_committer freebsd_triage 2018-03-28 16:33:05 UTC
(In reply to Yuri Victorovich from comment #4)

Upstream has given a official statement, that the current release, v0.13.69 has no known CVEs at the moment.

I have checked this against the CVE database (cvs.mitre.org) and those in the v0.13.68 were fixed so v0.13.69 should be non-vulnerable at the moment.

The patch for v0.13.69 is already attached and ready to land.
--
Cheers
Kai
Comment 6 Yuri Victorovich freebsd_committer freebsd_triage 2018-03-28 16:39:53 UTC
All fixed CVEs need to be entered into security/vuxml/vuln.xml with versions and dates.
Comment 7 Kai Knoblich freebsd_committer freebsd_triage 2018-03-28 19:02:26 UTC
Created attachment 191915 [details]
zziplib-vuln.xml

So, the vuln.xml should be actual in no time with the attached diff.
Comment 8 Kai Knoblich freebsd_committer freebsd_triage 2018-07-06 17:03:09 UTC
Created attachment 194919 [details]
zziplib-0.13.69-rev2.patch

Rebased patch after r465870 .
Comment 9 Kai Knoblich freebsd_committer freebsd_triage 2018-07-06 17:41:12 UTC
Created attachment 194920 [details]
zziplib-vuln-rev2.xml

Rebased vuln.xml after r473963 .
Comment 10 commit-hook freebsd_committer freebsd_triage 2018-07-06 17:58:42 UTC
A commit references this bug:

Author: miwi
Date: Fri Jul  6 17:57:49 UTC 2018
New revision: 474027
URL: https://svnweb.freebsd.org/changeset/ports/474027

Log:
  - Update to 0.13.68
  - Security fixes for:
  - CVE-2017-5974
  - CVE-2017-5975
  - CVE-2017-5976
  - CVE-2017-5979
  - CVE-2017-5980
  - CVE-2017-5981
  - CVE-2017-5977
  - CVE-2018-6381
  - CVE-2018-6484
  - CVE-2018-6540
  - CVE-2018-6541
  - CVE-2018-6542
  - CVE-2018-6869
  - CVE-2018-7725
  - CVE-2018-7726
  - CVE-2018-7727

  PR:	226491
  Submitted by:	maintainer
  MFH:	2018Q3

Changes:
  head/devel/zziplib/Makefile
  head/devel/zziplib/distinfo
  head/devel/zziplib/files/patch-configure
  head/devel/zziplib/files/patch-zzip_Makefile.in
  head/devel/zziplib/pkg-descr
  head/devel/zziplib/pkg-plist
Comment 11 commit-hook freebsd_committer freebsd_triage 2018-07-06 18:06:50 UTC
A commit references this bug:

Author: miwi
Date: Fri Jul  6 18:05:52 UTC 2018
New revision: 474029
URL: https://svnweb.freebsd.org/changeset/ports/474029

Log:
  MFH: r474027 r474028

  - Update to 0.13.68
  - Security fixes for:
  - CVE-2017-5974
  - CVE-2017-5975
  - CVE-2017-5976
  - CVE-2017-5979
  - CVE-2017-5980
  - CVE-2017-5981
  - CVE-2017-5977
  - CVE-2018-6381
  - CVE-2018-6484
  - CVE-2018-6540
  - CVE-2018-6541
  - CVE-2018-6542
  - CVE-2018-6869
  - CVE-2018-7725
  - CVE-2018-7726
  - CVE-2018-7727

  PR:	226491
  Submitted by:	maintainer

  - Added/RM missing patches

  Approved by: ports-secteam

Changes:
_U  branches/2018Q3/
  branches/2018Q3/devel/zziplib/Makefile
  branches/2018Q3/devel/zziplib/distinfo
  branches/2018Q3/devel/zziplib/files/patch-configure
  branches/2018Q3/devel/zziplib/files/patch-docs_Makefile.in
  branches/2018Q3/devel/zziplib/files/patch-docs_dbk2man.py
  branches/2018Q3/devel/zziplib/files/patch-zzip_Makefile.in
  branches/2018Q3/devel/zziplib/pkg-descr
  branches/2018Q3/devel/zziplib/pkg-plist
Comment 12 Martin Wilke freebsd_committer freebsd_triage 2018-07-06 18:08:12 UTC
Committed, vuxml entry is still missing, will combined it to one entry.
Comment 13 Kai Knoblich freebsd_committer freebsd_triage 2018-07-06 19:24:17 UTC
Created attachment 194922 [details]
zziplib-vuln-rev3.xml

Compressed all CVEs into one vuxml entry.
Comment 14 Walter Schwarzenfeld freebsd_triage 2018-07-06 20:46:45 UTC
update failed with:
 "unix man format of the manpages - goes to ../share/man/man3"
going to regenerate manpages.tar in subdir 'man'
test ! -d man3 || rm man3/* ; test -d man3 || mkdir man3
/usr/local/bin/xmlto -o man3 man zziplib.xml
xmlto: /ram/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs/zziplib.xml does not validate (status 3)
xmlto: Fix document syntax or use --skip-validation option
I/O error : Attempt to load network entity http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd
/ram/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs/zziplib.xml:2: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
       "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
                                                                  ^
I/O error : Attempt to load network entity http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd
warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
validity error : Could not load the external subset "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
Document /ram/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs/zziplib.xml does not validate
*** [manpages.tar] Error code 13

make[4]: stopped in /ram/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs
1 error

put back
 	 CONFIGURE_ENV=  ac_cv_path_XMLTO=":"

in the Makefile solves it.
Comment 15 Kai Knoblich freebsd_committer freebsd_triage 2018-07-06 21:51:09 UTC
(In reply to w.schwarzenfeld from comment #14)

Hello Walter,

thanks for your info. I cannot reproduce the problem with poudriere at the moment and I did a comparison of the buildlogs. It seems that the Python script "dbk2man.py" is not invoked at your build for some yet unknown reason.

Below is the partial output of the related sections where the building of the manpages did start (11.2-RELEASE amd64): 

> [...]
> "unix man format of the manpages - goes to ../share/man/man3"
> going to regenerate manpages.tar in subdir 'man'
> test ! -d man3 || rm man3/* ; test -d man3 || mkdir man3
> ./dbk2man.py -d man3 zziplib.xml
> ./dbk2man.py -d man3 zzipmmapped.xml
> ./dbk2man.py -d man3 zzipfseeko.xml
> chmod 664 man3/*.3
> /bin/pax -w -O -f "manpages.tar" man3/
> echo deleting...; rm man3/*.3 ; rmdir man3
> deleting...
> cp manpages.tar zziplib-manpages.tar (saved)
> [...]
Comment 16 Walter Schwarzenfeld freebsd_triage 2018-07-07 01:53:20 UTC
see Bug 229572  - same errror,
Comment 17 Tomoaki AOKI 2018-07-07 01:59:46 UTC
(In reply to Kai from comment #15)

Cannot find "dbk2man.py". Looks missing dependency.
In which port is it included?
Or exist only your system as not-yet-committed port?
  `find /usr/ports/ -name "pkg-plist*" | xargs grep -n "dbk2man"`
doesn't find anything. (Possibly auto-plist ones, though.)

In addition, proposed fix by w.schwarzenfeld@utanet.at helped.
Comment 18 Walter Schwarzenfeld freebsd_triage 2018-07-07 02:13:13 UTC
find /usr/ports/devel/zziplib/work/zziplib-0.13.69/* -name dbk2man.py
/usr/ports/devel/zziplib/work/zziplib-0.13.69/docs/dbk2man.py

and
files/patch-docs_dbk2man.py
Comment 19 Walter Schwarzenfeld freebsd_triage 2018-07-07 02:18:13 UTC
The file is only need for build.
Comment 20 Walter Schwarzenfeld freebsd_triage 2018-07-07 02:25:59 UTC
(In reply to Kai from comment #15)
Yes, it builds with poudriere. But it does not build with portmaster and port.
Comment 21 Kai Knoblich freebsd_committer freebsd_triage 2018-07-07 05:10:22 UTC
(In reply to w.schwarzenfeld from comment #20)

I think I've found the root cause:

If textproc/xmlto is installed the build will fail because the configure environment uses then xmlto instead of the dbk2man.py script to generate the man pages.

Thus your suggested workaround to put back the CONFIGURE_ENV variable is required to remedy the problem in build enviroments where textproc/xmlto is installed.

I will generate a patch shortly after this message.
Comment 22 Kai Knoblich freebsd_committer freebsd_triage 2018-07-07 05:35:25 UTC
Created attachment 194926 [details]
zziplib-fix-xmlto.patch / to be applied after r474027

This patch re-adds CONFIGURE_ENV back to make builds possible in environments where textproc/xmlto is installed after r474027 was committed.


QA:
~~~
- poudriere (11.2-RELEASE amd64 + i386) -> OK
- portlint -> OK
- portmaster zziplib (with and without textproc/xmlto installed) -> OK
Comment 23 Walter Schwarzenfeld freebsd_triage 2018-07-07 06:29:00 UTC
Created attachment 194927 [details]
new-patch-configure

You can include it in the patch-configure.
Comment 24 commit-hook freebsd_committer freebsd_triage 2018-07-07 06:56:11 UTC
A commit references this bug:

Author: miwi
Date: Sat Jul  7 06:55:42 UTC 2018
New revision: 474059
URL: https://svnweb.freebsd.org/changeset/ports/474059

Log:
  - Fix build when textproc/xmlto is installed in a local env.
  - Bump PORTREVISION

  PR:		226491 229572
  MFH:		2018Q3
  Sponsored by:	iXsystems Inc.

Changes:
  head/devel/zziplib/Makefile
Comment 25 commit-hook freebsd_committer freebsd_triage 2018-07-07 07:00:20 UTC
A commit references this bug:

Author: miwi
Date: Sat Jul  7 06:59:42 UTC 2018
New revision: 474060
URL: https://svnweb.freebsd.org/changeset/ports/474060

Log:
  aMFH: r474059

  - Fix build when textproc/xmlto is installed in a local env.
  - Bump PORTREVISION

  PR:		226491 229572
  Sponsored by:	iXsystems Inc.

  Approved by:	ports-secteam

Changes:
_U  branches/2018Q3/
  branches/2018Q3/devel/zziplib/Makefile
Comment 26 Kai Knoblich freebsd_committer freebsd_triage 2018-07-09 06:36:37 UTC
Created attachment 194977 [details]
zziplib-vuln-rev4.xml

Rebased vuln.xml after r474226.
Comment 27 commit-hook freebsd_committer freebsd_triage 2018-07-09 08:20:27 UTC
A commit references this bug:

Author: miwi
Date: Mon Jul  9 08:19:47 UTC 2018
New revision: 474238
URL: https://svnweb.freebsd.org/changeset/ports/474238

Log:
  - Document devel/zziplib - multible vulnerabilities

  PR:		226491
  Sponsored by:	iXsystems Inc.

Changes:
  head/security/vuxml/vuln.xml