241420 – textproc/libxslt: Fix CVE-2019-18197

Bug 241420 - textproc/libxslt: Fix CVE-2019-18197

Summary: textproc/libxslt: Fix CVE-2019-18197

Status:	Closed Overcome By Events

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	freebsd-gnome mailing list

URL:	w.schwarzenfeld@utanet.at
Keywords:	security

Depends on:
Blocks:	239131
	Show dependency tree / graph

Reported:	2019-10-22 20:13 UTC by Nathan
Modified:	2020-01-26 18:12 UTC (History)
CC List:	4 users (show)

See Also:	239131

Flags:	bugzilla: maintainer-feedback? (gnome) koobs: merge-quarterly?

Attachments
Fix CVE, close #239131 (2.74 KB, patch) 2019-10-22 20:13 UTC, Nathan	no flags	Details \| Diff
Fix CVE, close #239131 (2.73 KB, patch) 2019-10-22 22:05 UTC, Nathan	no flags	Details \| Diff
VuXML patch (2.02 KB, patch) 2019-10-23 20:17 UTC, Nathan	ndowens04: maintainer-approval? (gnome)	Details \| Diff
CVE-2019-18197 patch (2.79 KB, patch) 2019-10-24 20:37 UTC, Nathan	ndowens04: maintainer-approval? (gnome)	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nathan 2019-10-22 20:13:28 UTC

Created attachment 208512 [details]
Fix CVE, close #239131

I have created a patch for CVE-2019-18197, listed here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197 ; I have cherry-picked the commit from the URL listed. I also included a patch for suggestion in bug #239131, to close that bug as well.

Comment 1 Nathan 2019-10-22 22:05:41 UTC

Created attachment 208515 [details]
Fix CVE, close #239131

Remove patch prefixes

Comment 2 Kubilay Kocak freebsd_committer

2019-10-23 02:04:42 UTC

Pending VuXML entry

Comment 3 Nathan 2019-10-23 20:17:33 UTC

Created attachment 208538 [details]
VuXML patch

Added entry for VuXML file

Comment 4 Ting-Wei Lan 2019-10-24 14:10:12 UTC

Comment on attachment 208515 [details]
Fix CVE, close #239131

>--- textproc/libxslt/Makefile
>+++ textproc/libxslt/Makefile
>@@ -3,9 +3,9 @@
> 
> PORTNAME=	libxslt
> PORTVERSION=	1.1.33
>+PORTREVISION=	1
> CATEGORIES?=	textproc gnome
>-MASTER_SITES=	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/

Do we really want to use an unofficial site as the only MASTER_SITES?

Comment 5 Nathan 2019-10-24 20:27:44 UTC

(In reply to Ting-Wei Lan from comment #4)
osuosl is a mirror for many FOSS projects, and the other one did not have the new version either, 404

Comment 6 Nathan 2019-10-24 20:37:58 UTC

Created attachment 208586 [details]
CVE-2019-18197 patch

Comment 7 Ting-Wei Lan 2019-10-27 06:58:38 UTC

Comment on attachment 208586 [details]
CVE-2019-18197 patch

>--- a/textproc/libxslt/Makefile
>+++ b/textproc/libxslt/Makefile
>@@ -3,9 +3,10 @@
> 
> PORTNAME=	libxslt
> PORTVERSION=	1.1.33
>+PORTREVISION=	1
> CATEGORIES?=	textproc gnome
>-MASTER_SITES=	http://xmlsoft.org/sources/ \
>-		https://mirror.umd.edu/xbmc/build-deps/sources/
>+MASTER_SITES=	https://ftp.osuosl.org/pub/blfs/conglomeration/libxslt/ \
>+		   ftp://xmlsoft.org/libxslt/

I still don't understand why we want to prefer an unofficial site to the official site. I don't think HTTPS can give any extra security when it is not an official site. Also, FreeBSD ports disable certificate verification by default. I guess the only benefit is that it is less likely to be blocked by firewalls.

Comment 8 Walter Schwarzenfeld freebsd_triage

2020-01-26 18:12:07 UTC

We have version 1.1.34. The changes in transform.c are in the code. Close - overcome by events.