Bug 241420 - textproc/libxslt: Fix CVE-2019-18197
Summary: textproc/libxslt: Fix CVE-2019-18197
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-gnome mailing list
URL: w.schwarzenfeld@utanet.at
Keywords: security
Depends on:
Blocks: 239131
  Show dependency treegraph
 
Reported: 2019-10-22 20:13 UTC by Nathan
Modified: 2020-01-26 18:12 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (gnome)
koobs: merge-quarterly?


Attachments
Fix CVE, close #239131 (2.74 KB, patch)
2019-10-22 20:13 UTC, Nathan
no flags Details | Diff
Fix CVE, close #239131 (2.73 KB, patch)
2019-10-22 22:05 UTC, Nathan
no flags Details | Diff
VuXML patch (2.02 KB, patch)
2019-10-23 20:17 UTC, Nathan
ndowens04: maintainer-approval? (gnome)
Details | Diff
CVE-2019-18197 patch (2.79 KB, patch)
2019-10-24 20:37 UTC, Nathan
ndowens04: maintainer-approval? (gnome)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nathan 2019-10-22 20:13:28 UTC
Created attachment 208512 [details]
Fix CVE, close #239131

I have created a patch for CVE-2019-18197, listed here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197 ; I have cherry-picked the commit from the URL listed. I also included a patch for suggestion in bug #239131, to close that bug as well.
Comment 1 Nathan 2019-10-22 22:05:41 UTC
Created attachment 208515 [details]
Fix CVE, close #239131

Remove patch prefixes
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-23 02:04:42 UTC
Pending VuXML entry
Comment 3 Nathan 2019-10-23 20:17:33 UTC
Created attachment 208538 [details]
VuXML patch

Added entry for VuXML file
Comment 4 Ting-Wei Lan 2019-10-24 14:10:12 UTC
Comment on attachment 208515 [details]
Fix CVE, close #239131

>--- textproc/libxslt/Makefile
>+++ textproc/libxslt/Makefile
>@@ -3,9 +3,9 @@
> 
> PORTNAME=	libxslt
> PORTVERSION=	1.1.33
>+PORTREVISION=	1
> CATEGORIES?=	textproc gnome
>-MASTER_SITES=	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/

Do we really want to use an unofficial site as the only MASTER_SITES?
Comment 5 Nathan 2019-10-24 20:27:44 UTC
(In reply to Ting-Wei Lan from comment #4)
osuosl is a mirror for many FOSS projects, and the other one did not have the new version either, 404
Comment 6 Nathan 2019-10-24 20:37:58 UTC
Created attachment 208586 [details]
CVE-2019-18197 patch
Comment 7 Ting-Wei Lan 2019-10-27 06:58:38 UTC
Comment on attachment 208586 [details]
CVE-2019-18197 patch

>--- a/textproc/libxslt/Makefile
>+++ b/textproc/libxslt/Makefile
>@@ -3,9 +3,10 @@
> 
> PORTNAME=	libxslt
> PORTVERSION=	1.1.33
>+PORTREVISION=	1
> CATEGORIES?=	textproc gnome
>-MASTER_SITES=	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ \
>+		   ftp://xmlsoft.org/libxslt/

I still don't understand why we want to prefer an unofficial site to the official site. I don't think HTTPS can give any extra security when it is not an official site. Also, FreeBSD ports disable certificate verification by default. I guess the only benefit is that it is less likely to be blocked by firewalls.
Comment 8 Walter Schwarzenfeld freebsd_triage 2020-01-26 18:12:07 UTC
We have version 1.1.34. The changes in transform.c are in the code. Close - overcome by events.