Bug 241420 - textproc/libxslt: Fix CVE-2019-18197
Summary: textproc/libxslt: Fix CVE-2019-18197
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-gnome (Nobody)
URL: w.schwarzenfeld@utanet.at
Keywords: security
Depends on:
Blocks: 239131
  Show dependency treegraph
 
Reported: 2019-10-22 20:13 UTC by Nathan
Modified: 2020-01-26 18:12 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (gnome)
koobs: merge-quarterly?

Attachments
Fix CVE, close #239131 (2.74 KB, patch)
2019-10-22 20:13 UTC, Nathan 		no flags Details | Diff
Fix CVE, close #239131 (2.73 KB, patch)
2019-10-22 22:05 UTC, Nathan 		no flags Details | Diff
VuXML patch (2.02 KB, patch)
2019-10-23 20:17 UTC, Nathan 		ndowens04: maintainer-approval? (gnome)
 Details | Diff
CVE-2019-18197 patch (2.79 KB, patch)
2019-10-24 20:37 UTC, Nathan 		ndowens04: maintainer-approval? (gnome)
 Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nathan 2019-10-22 20:13:28 UTC 
Created attachment 208512 [details]
Fix CVE, close #239131

I have created a patch for CVE-2019-18197, listed here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197 ; I have cherry-picked the commit from the URL listed. I also included a patch for suggestion in bug #239131, to close that bug as well.
Comment 1 Nathan 2019-10-22 22:05:41 UTC 
Created attachment 208515 [details]
Fix CVE, close #239131

Remove patch prefixes
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-23 02:04:42 UTC 
Pending VuXML entry
Comment 3 Nathan 2019-10-23 20:17:33 UTC 
Created attachment 208538 [details]
VuXML patch

Added entry for VuXML file
Comment 4 Ting-Wei Lan 2019-10-24 14:10:12 UTC 
Comment on attachment 208515 [details]
Fix CVE, close #239131

>--- textproc/libxslt/Makefile
>+++ textproc/libxslt/Makefile
>@@ -3,9 +3,9 @@
> 
> PORTNAME=	libxslt
> PORTVERSION=	1.1.33
>+PORTREVISION=	1
> CATEGORIES?=	textproc gnome
>-MASTER_SITES=	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/

Do we really want to use an unofficial site as the only MASTER_SITES?
Comment 5 Nathan 2019-10-24 20:27:44 UTC 
(In reply to Ting-Wei Lan from comment #4)
osuosl is a mirror for many FOSS projects, and the other one did not have the new version either, 404
Comment 6 Nathan 2019-10-24 20:37:58 UTC 
Created attachment 208586 [details]
CVE-2019-18197 patch
Comment 7 Ting-Wei Lan 2019-10-27 06:58:38 UTC 
Comment on attachment 208586 [details]
CVE-2019-18197 patch

>--- a/textproc/libxslt/Makefile
>+++ b/textproc/libxslt/Makefile
>@@ -3,9 +3,10 @@
> 
> PORTNAME=	libxslt
> PORTVERSION=	1.1.33
>+PORTREVISION=	1
> CATEGORIES?=	textproc gnome
>-MASTER_SITES=	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ \
>+		   ftp://xmlsoft.org/libxslt/

I still don't understand why we want to prefer an unofficial site to the official site. I don't think HTTPS can give any extra security when it is not an official site. Also, FreeBSD ports disable certificate verification by default. I guess the only benefit is that it is less likely to be blocked by firewalls.
Comment 8 Walter Schwarzenfeld freebsd_triage 2020-01-26 18:12:07 UTC 
We have version 1.1.34. The changes in transform.c are in the code. Close - overcome by events.