Bug 254793 - security/vuxml: Document XML round-trip vulnerability of REXML in Ruby
Summary: security/vuxml: Document XML round-trip vulnerability of REXML in Ruby
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Koichiro Iwao
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-05 14:48 UTC by Yasuhiro Kimura
Modified: 2021-04-06 14:09 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)

Attachments
Patch file (1.84 KB, patch)
2021-04-05 14:48 UTC, Yasuhiro Kimura 		no flags Details | Diff
Updated patch file (2.25 KB, patch)
2021-04-06 13:38 UTC, Yasuhiro Kimura 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura freebsd_committer freebsd_triage 2021-04-05 14:48:40 UTC 
Created attachment 223832 [details]
Patch file

Document XML round-trip vulnerability of REXML in Ruby.
Comment 1 Koichiro Iwao freebsd_committer freebsd_triage 2021-04-06 13:29:47 UTC 
Failed to apply the patch. Can you resubmit it?
Comment 2 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-04-06 13:38:29 UTC 
Created attachment 223857 [details]
Updated patch file

Chase update of ports tree.
Comment 3 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-04-06 13:40:07 UTC 
(In reply to Koichiro Iwao from comment #1)

Please try updated patch.

Best Regards.
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-04-06 13:55:08 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=cbbdab46f9b73b3593fb453c4a2523936d569e15

commit cbbdab46f9b73b3593fb453c4a2523936d569e15
Author:     Koichiro Iwao <meta@FreeBSD.org>
AuthorDate: 2021-04-05 14:42:08 +0000
Commit:     Koichiro Iwao <meta@FreeBSD.org>
CommitDate: 2021-04-06 13:53:57 +0000

    security/vuxml: Document XML round-trip vulnerability of REXML in Ruby

    Document XML round-trip vulnerability of REXML in Ruby.

    PR:             254793
    Reported by:    Yasuhiro Kimura <yasu@utahime.org>
    Security:       CVE-2021-28965

 security/vuxml/vuln.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
Comment 5 Koichiro Iwao freebsd_committer freebsd_triage 2021-04-06 14:08:34 UTC 
Thanks for the quick follow-up.

Submitting patches generated by `git format-patch` is helpful. Because I can reuse most parts of the submitter's commit message. At least I'm very happy with receiving format-patch style patch.

I can apply the submitter's patch with the following commands.

$ curl -L '<patch URL>' > /tmp/patch
$ git am /tmp/patch
$ git commit --amend --reset-author
(add some commit messages)

The reason why I reset author is the repository blocks commits which has different committer and author.

remote:
remote: ================================================================
remote: meta, you are pushing a commit which author and committer are different:
remote:
remote: author: Yasuhiro Kimura <yasu@utahime.org>
remote: commit: e88e34f77ee344af29c0514ea45557a447d63b67
remote: subject: security/vuxml: Document XML round-trip vulnerability of REXML in Ruby
remote:
remote: Please check the author name and email are correct and then use:
remote:         git push --push-option=confirm-author
remote: ================================================================
To gitrepo.freebsd.org:ports.git
 ! [remote rejected]           main -> main (pre-receive hook declined)
error: failed to push some refs to 'gitrepo.freebsd.org:ports.git'
Comment 6 Koichiro Iwao freebsd_committer freebsd_triage 2021-04-06 14:09:06 UTC 
Committed, thanks!