Created attachment 214066 [details] Patch for json-c Update json-c to 0.14 Switch to CMake Remove patches as they're merged in upstream repo Tested on FreeBSD 13.0-CURRENT r360454 (make test) both static and shared successfully. Poudriere testport OK 12.1-RELEASE (AMD64)
Created attachment 214171 [details] Patch for json-c v2 Set USE_LDCONFIG variable
Hi Sunpoet, Is this something you can have a look at? Best regards, Daniel
Created attachment 214403 [details] Patch for json-c v3 Remove pkgconfig in USES=
Created attachment 214481 [details] Patch for json-c v4 Backport CMake changes, restores static lib Backport fix for CVE-2020-12762
Created attachment 214483 [details] Patch for json-c v5 Forgot to remove workaround in Makefile for upstream PR 585 as CMake related files are up to date. Sorry!
Created attachment 214486 [details] Patch for json-c v6 Restore USE_LDCONFIG
Note I've marked json-c < 0.15 vulnerable per r535226, so if the security fix be backported, then also change the version in security/vuxml/vuln.xml accordingly.
Created attachment 214488 [details] Patch for json-c v7 Partially backport commit 519dfe1591d85432986f9762d41d1a883198c157 to fix regression reported in issue #599
Summary of as of v7 Update json-c to 0.14 Switch to CMake Remove patches as they're merged in upstream repo Partially backport CMake changes from master branch as of 20200510, fixes building both static and shared libraries Backport upstream PR585, fixes CVE-2020-12762 Partially backport commit 519dfe1, fixes regression (issue #599) References: https://github.com/json-c/json-c/pull/585 https://svnweb.freebsd.org/ports?view=revision&revision=535226 https://github.com/json-c/json-c/issues/599
Thanks for your information and the patch. But I still have to make the patch from scratch. For example, I would keep the github commit links in the patch file to help identify where it comes from. And I don't understand why you added changes to cmake-configure and cmake/config.h.in. I've added the following commits to the newer patch in bug #246389. https://github.com/json-c/json-c/commit/22870ac2bd4cfdd135887ecc8cbbe02e7ef0c34e https://github.com/json-c/json-c/commit/31243e4d1204ef78be34b0fcae73221eee6b83be https://github.com/json-c/json-c/commit/4f43a077a497f94214645ce9763247ec085e2094 https://github.com/json-c/json-c/commit/519dfe1591d85432986f9762d41d1a883198c157 https://github.com/json-c/json-c/commit/8b511c402b73d1d8b195991891c8d44859cb57ec Let's wait for the exp-run result. Thanks!
(In reply to Matthias Andree from comment #7) Thanks for adding the vuxml entry. I've updated the patch for exp-run. That means the security fix would land the ports tree along with 0.14 update. I'll changed it to <lt>0.14</lt>.
(In reply to Sunpoet Po-Chuan Hsieh from comment #10) Hi, Since the CMake files had multiple changes to them after the release I went with the easiest way of fixing building of both static and shared libraries instead of trying to partially backport multiple commits. I also made the assumption that these will be obsolete (fixed) in the next release. cmake-configure --> https://github.com/json-c/json-c/commit/a100573eecf66daa6b50113c016b8a2563b1504e#diff-008f08ef2adf0ae7ac47d03611a35922 As for cmake/config.h.in unless I misread the diffs it seems to touch more than what the commit message suggests so I went for the latest version to avoid build issues. https://github.com/json-c/json-c/commits/master/cmake/config.h.in Best regards, Daniel
(In reply to Matthias Andree from comment #7) I've added the security fix into the json-c 0.14 patch for exp-run, thus I'll change it to 0.14.
Bump - it would be really appreciated if this could be pushed a bit as this is security relevant! Thanks!
json-c 0.14 landed.