Created attachment 218018 [details] Patch for libxml2 Fixes CVE-2019-20388, CVE-2020-7595, CVE-2020-24977 As there's no public announcement as far as I can tell I'm not sure how I should go about vuxml entry/entries. Compile tested on FreeBSD 13.0-CURRENT #0 r364979 (AMD64) Poudriere OK 12.1-RELEASE (AMD64)
Moin Moin Thanj you very much. Do you have time to prepare a vuxml entry too? Mfg Tobias
Hi, I'm not sure what to put in "entry" #7 https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html Best regards, Daniel
(In reply to daniel.engberg.lists from comment #2) I would just take some text from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977 and look at the related links there, for example https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 Some existing entries in the vuln.xml also just use <p>Mitre CVE reports:</p> there. So, I wouldn't spend too much time on that :) mfg Tobias
I'll leave it someone who knows vuxml better, it barfs on the URL.
A commit references this bug: Author: tcberner Date: Tue Sep 22 17:23:51 UTC 2020 New revision: 549611 URL: https://svnweb.freebsd.org/changeset/ports/549611 Log: security/vuxml: document libxml2 vulnerabilities PR: 249386 Changes: head/security/vuxml/vuln.xml
The patch fixing the CVE-2019-20388, CVE-2020-7595, CVE-2020-24977 is still not committed.
(In reply to p5B2E9A8F from comment #6) No one claimed it was :)
A commit references this bug: Author: tcberner Date: Fri Sep 25 20:29:38 UTC 2020 New revision: 550081 URL: https://svnweb.freebsd.org/changeset/ports/550081 Log: textproc/libxml2: Multiple vulnerabilities Includes upstreams fixes for * CVE-2019-20388 * CVE-2020-7595 * CVE-2020-24977 PR: 249386 Submitted by: daniel.engberg.lists@pyret.net MFH: 2020Q3 Changes: head/textproc/libxml2/Makefile head/textproc/libxml2/distinfo
A commit references this bug: Author: tcberner Date: Sat Sep 26 10:50:41 UTC 2020 New revision: 550160 URL: https://svnweb.freebsd.org/changeset/ports/550160 Log: MFH: r550081 textproc/libxml2: Multiple vulnerabilities Includes upstreams fixes for * CVE-2019-20388 * CVE-2020-7595 * CVE-2020-24977 PR: 249386 Submitted by: daniel.engberg.lists@pyret.net Approved by: ports-secteam (fluffy) Changes: _U branches/2020Q3/ branches/2020Q3/textproc/libxml2/Makefile branches/2020Q3/textproc/libxml2/distinfo
I think we might want to reopen this waiting for a pending fix for https://gitlab.gnome.org/GNOME/libxml2/-/issues/187
There's a patch in GNOME GitLab, 0b3c64d9f2f3e9ce1a98d8f19ee7a763c87e27d5, for the issue mandree@ mentions. It doesn't apply at *all* though, since there's an intervening "make these functions non-recursive" that isn't in the release. So you'd be backporting some large-ish set of commits in order to introduce the problem that that patch then fixes. This seems more like a "wait for next release" thing than anything else. (Putting back to closed, FIXED since that's the status wrt the original report. I *do* wish that GNOME would put out a new release of the library since it's been about 18 months; however, it looks kind of stagnated with lots of open issues and stale MRs)