Bug 254793 - security/vuxml: Document XML round-trip vulnerability of REXML in Ruby
Summary: security/vuxml: Document XML round-trip vulnerability of REXML in Ruby
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Koichiro Iwao
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-05 14:48 UTC by Yasuhiro Kimura
Modified: 2021-04-06 14:09 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments
Patch file (1.84 KB, patch)
2021-04-05 14:48 UTC, Yasuhiro Kimura
no flags Details | Diff
Updated patch file (2.25 KB, patch)
2021-04-06 13:38 UTC, Yasuhiro Kimura
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura 2021-04-05 14:48:40 UTC
Created attachment 223832 [details]
Patch file

Document XML round-trip vulnerability of REXML in Ruby.
Comment 1 Koichiro Iwao freebsd_committer 2021-04-06 13:29:47 UTC
Failed to apply the patch. Can you resubmit it?
Comment 2 Yasuhiro Kimura 2021-04-06 13:38:29 UTC
Created attachment 223857 [details]
Updated patch file

Chase update of ports tree.
Comment 3 Yasuhiro Kimura 2021-04-06 13:40:07 UTC
(In reply to Koichiro Iwao from comment #1)

Please try updated patch.

Best Regards.
Comment 4 commit-hook freebsd_committer 2021-04-06 13:55:08 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=cbbdab46f9b73b3593fb453c4a2523936d569e15

commit cbbdab46f9b73b3593fb453c4a2523936d569e15
Author:     Koichiro Iwao <meta@FreeBSD.org>
AuthorDate: 2021-04-05 14:42:08 +0000
Commit:     Koichiro Iwao <meta@FreeBSD.org>
CommitDate: 2021-04-06 13:53:57 +0000

    security/vuxml: Document XML round-trip vulnerability of REXML in Ruby

    Document XML round-trip vulnerability of REXML in Ruby.

    PR:             254793
    Reported by:    Yasuhiro Kimura <yasu@utahime.org>
    Security:       CVE-2021-28965

 security/vuxml/vuln.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
Comment 5 Koichiro Iwao freebsd_committer 2021-04-06 14:08:34 UTC
Thanks for the quick follow-up.

Submitting patches generated by `git format-patch` is helpful. Because I can reuse most parts of the submitter's commit message. At least I'm very happy with receiving format-patch style patch.

I can apply the submitter's patch with the following commands.

$ curl -L '<patch URL>' > /tmp/patch
$ git am /tmp/patch
$ git commit --amend --reset-author
(add some commit messages)

The reason why I reset author is the repository blocks commits which has different committer and author.

remote:
remote: ================================================================
remote: meta, you are pushing a commit which author and committer are different:
remote:
remote: author: Yasuhiro Kimura <yasu@utahime.org>
remote: commit: e88e34f77ee344af29c0514ea45557a447d63b67
remote: subject: security/vuxml: Document XML round-trip vulnerability of REXML in Ruby
remote:
remote: Please check the author name and email are correct and then use:
remote:         git push --push-option=confirm-author
remote: ================================================================
To gitrepo.freebsd.org:ports.git
 ! [remote rejected]           main -> main (pre-receive hook declined)
error: failed to push some refs to 'gitrepo.freebsd.org:ports.git'
Comment 6 Koichiro Iwao freebsd_committer 2021-04-06 14:09:06 UTC
Committed, thanks!