Bug 238854 - archivers/bzip2: Update to 1.0.7 (Fixes security vulnerabilities)
Summary: archivers/bzip2: Update to 1.0.7 (Fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Steve Wills
URL: https://gitlab.com/federicomenaquinte...
Keywords: needs-qa, security
Depends on:
Reported: 2019-06-27 19:53 UTC by jharris
Modified: 2019-06-30 21:49 UTC (History)
2 users (show)

See Also:
jharris: maintainer-feedback+
koobs: merge-quarterly?

patch to update bzip2 to 1.0.7 (1.21 KB, patch)
2019-06-27 19:53 UTC, jharris
jharris: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description jharris 2019-06-27 19:53:12 UTC
Created attachment 205383 [details]
patch to update bzip2 to 1.0.7

New release, fixes CVE-2016-3189 and CVE-2019-12900:


Updates WWW to gitlab.com (no tarballs/releases) and MASTER_SITES to sourceware.org, which has a GnuPG signature:

gpg: assuming signed data in `/usr/ports/distfiles/bzip2-1.0.7.tar.gz'
gpg: Signature made Thu Jun 27 18:16:01 2019 UTC using RSA key ID ACD99A78
gpg: using subkey ACD99A78 instead of primary key 49DE760A
gpg: Good signature from "Mark Wielaard <@klomp.org>"
gpg:                 aka "Mark Wielaard <@gnu.org>"
gpg:                 aka "Mark Wielaard <@redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EC3C FE88 F6CA 0788 774F  5C1D 1AA4 4BE6 49DE 760A
     Subkey fingerprint: 1276 8A96 7959 9010 7A0D  2FDF FC57 E3CC ACD9 9A78
gpg: binary signature, digest algorithm SHA256

Old version/mirror at https://sourceforge.net/projects/bzip2/ hasn't caught up...
Comment 1 Xin LI freebsd_committer 2019-06-28 17:13:42 UTC
Unrelated to the update itself, but do we really need a port for bzip2?  It's part of the base system since as late as FreeBSD 5.0 (16 years ago)...
Comment 2 jharris 2019-06-28 17:47:37 UTC
(In reply to Xin LI from comment #1)

Well, I’m already using the updated, CVE-free version without rebooting.  I find value in that.  Also, the code is now in gitlab and under renewed development, which the port makes easy to test.

I personally think it is pointless to continue to bikeshed and/or remove 1 in 32,500 ports, making it harder to test (and atomically cleanup via pkg) new versions of ESSENTIAL software...

How many bytes are we saving, and to what end?

Of course, I’m all for a disclaimers in pkg-descr for the ports that are also in base.

Comment 3 commit-hook freebsd_committer 2019-06-30 21:48:12 UTC
A commit references this bug:

Author: swills
Date: Sun Jun 30 21:47:17 UTC 2019
New revision: 505506
URL: https://svnweb.freebsd.org/changeset/ports/505506

  Document minor bzip2 issues

  PR:		238854

Comment 4 commit-hook freebsd_committer 2019-06-30 21:48:14 UTC
A commit references this bug:

Author: swills
Date: Sun Jun 30 21:47:45 UTC 2019
New revision: 505507
URL: https://svnweb.freebsd.org/changeset/ports/505507

  archivers/bzip2: update to 1.0.7

  PR:		238854
  Submitted by:	jharris@widomaker.com (maintainer)
  MFH:		2019Q2
  Security:	4b6cb45d-881e-447a-a4e0-c97a954ea758

Comment 5 commit-hook freebsd_committer 2019-06-30 21:49:17 UTC
A commit references this bug:

Author: swills
Date: Sun Jun 30 21:48:25 UTC 2019
New revision: 505509
URL: https://svnweb.freebsd.org/changeset/ports/505509

  MFH: r505507

  archivers/bzip2: update to 1.0.7

  PR:		238854
  Submitted by:	jharris@widomaker.com (maintainer)
  Security:	4b6cb45d-881e-447a-a4e0-c97a954ea758

  Approved by:	ports-secteam (implicit)

_U  branches/2019Q2/
Comment 6 Steve Wills freebsd_committer 2019-06-30 21:49:28 UTC
Committed, thanks!