Bug 249386 - textproc/libxml2: Multiple vulnerabilities
Summary: textproc/libxml2: Multiple vulnerabilities
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-desktop (Team)
URL: https://nvd.nist.gov/vuln/search/resu...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-17 07:00 UTC by daniel.engberg.lists
Modified: 2020-09-27 18:20 UTC (History)
5 users (show)

See Also:
tcberner: maintainer-feedback+


Attachments
Patch for libxml2 (2.08 KB, patch)
2020-09-17 07:00 UTC, daniel.engberg.lists
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description daniel.engberg.lists 2020-09-17 07:00:03 UTC
Created attachment 218018 [details]
Patch for libxml2

Fixes CVE-2019-20388, CVE-2020-7595, CVE-2020-24977

As there's no public announcement as far as I can tell I'm not sure how I should go about vuxml entry/entries.

Compile tested on FreeBSD 13.0-CURRENT #0 r364979 (AMD64)
Poudriere OK 12.1-RELEASE (AMD64)
Comment 1 Tobias C. Berner freebsd_committer 2020-09-17 16:38:18 UTC
Moin Moin

Thanj you very much.
 

Do you have time to prepare a vuxml entry too?


Mfg Tobias
Comment 2 daniel.engberg.lists 2020-09-17 21:16:46 UTC
Hi,

I'm not sure what to put in "entry" #7
https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html

Best regards,
Daniel
Comment 3 Tobias C. Berner freebsd_committer 2020-09-18 03:29:57 UTC
(In reply to daniel.engberg.lists from comment #2)

I would just take some text from
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977 
and look at the related links there, for example https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 

Some existing entries in the vuln.xml also just use 
<p>Mitre CVE reports:</p> 
there.

So, I wouldn't spend too much time on that :)



mfg Tobias
Comment 4 daniel.engberg.lists 2020-09-19 12:01:28 UTC
I'll leave it someone who knows vuxml better, it barfs on the URL.
Comment 5 commit-hook freebsd_committer 2020-09-22 17:24:48 UTC
A commit references this bug:

Author: tcberner
Date: Tue Sep 22 17:23:51 UTC 2020
New revision: 549611
URL: https://svnweb.freebsd.org/changeset/ports/549611

Log:
  security/vuxml: document libxml2 vulnerabilities

  PR:		249386

Changes:
  head/security/vuxml/vuln.xml
Comment 6 p5B2E9A8F 2020-09-25 11:33:36 UTC
The patch fixing the CVE-2019-20388, CVE-2020-7595, CVE-2020-24977
is still not committed.
Comment 7 Tobias C. Berner freebsd_committer 2020-09-25 20:26:44 UTC
(In reply to p5B2E9A8F from comment #6)
No one claimed it was :)
Comment 8 commit-hook freebsd_committer 2020-09-25 20:30:26 UTC
A commit references this bug:

Author: tcberner
Date: Fri Sep 25 20:29:38 UTC 2020
New revision: 550081
URL: https://svnweb.freebsd.org/changeset/ports/550081

Log:
  textproc/libxml2: Multiple vulnerabilities

  Includes upstreams fixes for

  	* CVE-2019-20388
  	* CVE-2020-7595
  	* CVE-2020-24977

  PR:		249386
  Submitted by:	daniel.engberg.lists@pyret.net
  MFH:		2020Q3

Changes:
  head/textproc/libxml2/Makefile
  head/textproc/libxml2/distinfo
Comment 9 commit-hook freebsd_committer 2020-09-26 10:50:47 UTC
A commit references this bug:

Author: tcberner
Date: Sat Sep 26 10:50:41 UTC 2020
New revision: 550160
URL: https://svnweb.freebsd.org/changeset/ports/550160

Log:
  MFH: r550081

  textproc/libxml2: Multiple vulnerabilities

  Includes upstreams fixes for

  	* CVE-2019-20388
  	* CVE-2020-7595
  	* CVE-2020-24977

  PR:		249386
  Submitted by:	daniel.engberg.lists@pyret.net

  Approved by:	ports-secteam (fluffy)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/textproc/libxml2/Makefile
  branches/2020Q3/textproc/libxml2/distinfo
Comment 10 Matthias Andree freebsd_committer 2020-09-27 18:20:54 UTC
I think we might want to reopen this waiting for a pending fix for 
https://gitlab.gnome.org/GNOME/libxml2/-/issues/187