Bug 241422 - textproc/unoconv: Update to 0.8.2, Fix CVE-2019-17400
Summary: textproc/unoconv: Update to 0.8.2, Fix CVE-2019-17400
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-ports-bugs mailing list
URL: https://github.com/unoconv/unoconv/co...
Keywords: buildisok, security
Depends on:
Blocks:
 
Reported: 2019-10-22 21:41 UTC by Nathan
Modified: 2019-11-03 12:17 UTC (History)
2 users (show)

See Also:
koobs: merge-quarterly?


Attachments
update ; add CVE patch (9.06 KB, patch)
2019-10-22 21:41 UTC, Nathan
no flags Details | Diff
update ; add CVE patch (9.04 KB, patch)
2019-10-22 22:03 UTC, Nathan
koobs: maintainer-approval+
Details | Diff
VuXML entry (1.59 KB, patch)
2019-10-23 20:20 UTC, Nathan
ndowens04: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nathan 2019-10-22 21:41:19 UTC
Created attachment 208513 [details]
update ; add CVE patch

Updated to latest version, also applied a cherry-pick to fix CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17400

Changed source to Github, newest version wasn't on the site previously in MASTER_SITES

Tested unoconv after update via converting a adoc file to a pdf file and it worked. Also did 'unoconv --listener' listed in bug #239106 and got no segfault listed in the bug report.

Built fine in poudriere for:
12/13-amd64 12/13-i386 and 12-arm64
Comment 1 Nathan 2019-10-22 22:03:02 UTC
Created attachment 208514 [details]
update ; add CVE patch

Removed patch prefixes
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-23 02:03:08 UTC
Comment on attachment 208514 [details]
update ; add CVE patch

Approved by: portmgr (unmaintained port)
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-23 02:05:08 UTC
Pending VuXML entry
Comment 4 Automation User 2019-10-23 02:31:11 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/90759961
Comment 5 Nathan 2019-10-23 03:07:40 UTC
(In reply to Kubilay Kocak from comment #3)
Will work on this tomorrow sometime
Comment 6 Nathan 2019-10-23 20:20:03 UTC
Created attachment 208540 [details]
VuXML entry
Comment 7 Raphael Kubo da Costa freebsd_committer 2019-11-03 12:17:51 UTC
files/patch_unoconv is not in a unified diff format -- see how there are multiple "<<<<< HEAD", "======" and ">>>>> " lines in there.

If the upstream commit applies cleanly on 0.8.2, I suggest just downloading the commit from GitHub in a diff format (https://github.com/unoconv/unoconv/commit/acfac594e643f9c44f1c3b8d6d8957190a4d76f2.diff) and removing the "a/" and "b/" from the paths.

The VuXML entry needs to be adjusted too:
- The <topic> entry usually begins with "$packagename --" (so "unoconv -- SSRF and local file inclusion").
- The <p> entry inside the <blockquote> has a leading "escription" that shouldn't be there.
- You should add <freebsdpr> and <cvename> entries to <references>