233896 – archivers/libmspack: Update to 0.9.1 (Fixes several security vulnerabilities)

Bug 233896 - archivers/libmspack: Update to 0.9.1 (Fixes several security vulnerabilities)

Summary: archivers/libmspack: Update to 0.9.1 (Fixes several security vulnerabilities)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Ports Security Team

URL:	https://www.cabextract.org.uk/libmspa...
Keywords:	needs-patch, security

Depends on:
Blocks:

Reported:	2018-12-09 19:44 UTC by Henry
Modified:	2020-07-24 04:14 UTC (History)
CC List:	4 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (fjoe) koobs: maintainer-feedback? (ports-secteam)

Attachments
0.9.1 patch (1022 bytes, patch) 2018-12-09 19:44 UTC, Henry	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Henry 2018-12-09 19:44:06 UTC

Created attachment 199990 [details]
0.9.1 patch

CVEs fixed are the top 9 from https://www.cabextract.org.uk/libmspack/#vulns

Comment 1 Kubilay Kocak freebsd_committer

2018-12-10 04:42:44 UTC

Pending (requires) VuXML entry

Comment 2 Max Khon freebsd_committer

2018-12-11 08:44:14 UTC

Committed, thanks!

Comment 3 commit-hook freebsd_committer

2018-12-11 08:45:02 UTC

A commit references this bug:

Author: fjoe
Date: Tue Dec 11 08:44:00 UTC 2018
New revision: 487227
URL: https://svnweb.freebsd.org/changeset/ports/487227

Log:
  Update to 0.9.1alpha

  PR:		233896
  Submitted by:	Henry David Bartholomew

Changes:
  head/archivers/libmspack/Makefile
  head/archivers/libmspack/distinfo

Comment 4 Kubilay Kocak freebsd_committer

2018-12-14 03:42:09 UTC

Re-open for VuXML entry and MFH

Comment 5 Jochen Neumeister freebsd_committer

2019-02-15 18:36:17 UTC

what is the current status?
Does ports-secteam have to be active here?

Comment 6 Kubilay Kocak freebsd_committer

2019-04-24 05:44:50 UTC

VuXML entries were not added for this  (0.9.1) or previous releases

The last libsmpack VuXML entry was <vuln vid="cc7548ef-06e1-11e5-8fda-002590263bf5"> added <entry>2015-05-31</entry> for version < 0.5

This leaves 10 CVE's (security vulnerabilities) not reported to users (per https://www.cabextract.org.uk/libmspack/#vulns)

Comment 7 Jochen Neumeister freebsd_committer

2019-05-17 12:29:18 UTC

ping @fjoe

Comment 8 Kubilay Kocak freebsd_committer

2019-08-23 02:49:12 UTC

Over to ports-secteam, no maintainer response since 2018-12-14

VuXML entries for latest and previous version vulnerabilities (At least 10) remains to be added

Comment 9 Jochen Neumeister freebsd_committer

2020-07-23 15:30:11 UTC

After such a long time, I see no point in creating a vuxml entry. I'm closing here.

Comment 10 Kubilay Kocak freebsd_committer

2020-07-24 02:16:06 UTC

@Jochen I don't understand how the time it has been is related or relevant to documenting known security vulnerabilities in VuXML?

If this is a matter of limited available cycles at ports-secteam to document vulnerabilities (in this case > 10 of them), we can put a call out for others to contribute the change

Comment 11 Jochen Neumeister freebsd_committer

2020-07-24 04:14:10 UTC

@Kubilay, I made this decision as ports-secteam. If you want to add the entry, please reopen this PR. Otherwise I consider it done.