Bug 256094 - textproc/libxml2: Add upstream patch to fix CVE-2021-3541
Summary: textproc/libxml2: Add upstream patch to fix CVE-2021-3541
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-desktop (Team)
URL: https://gitlab.gnome.org/GNOME/libxml...
Keywords:
Depends on: 256093
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-23 03:37 UTC by Yasuhiro Kimura
Modified: 2021-05-23 14:48 UTC (History)
1 user (show)

See Also:
tcberner: maintainer-feedback+
tcberner: merge-quarterly+


Attachments
Patch file (11.78 KB, patch)
2021-05-23 03:37 UTC, Yasuhiro Kimura
no flags Details | Diff
Updated patch file (3.21 KB, patch)
2021-05-23 06:59 UTC, Yasuhiro Kimura
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura freebsd_committer 2021-05-23 03:37:31 UTC
Created attachment 225186 [details]
Patch file

Update to 2.9.12.

Changes: https://gitlab.gnome.org/GNOME/libxml2/-/commits/v2.9.12
Security: CVE-2021-3541

Bug #256093 describes vulnerability fixed with this update. So please commit it together.
Comment 1 Yasuhiro Kimura freebsd_committer 2021-05-23 05:12:32 UTC
I found bug #256078 also updates this port to 2.9.12. But it also changes build tool from GNU autotools to CMake. And submitter says it is still WIP. On the other hands, Update to 2.9.12 includes fix of CVE-2021-3541. So my patch should be committed ASAP rather than waiting for working of bug #256078 will be finished.
Comment 2 Yasuhiro Kimura freebsd_committer 2021-05-23 06:59:57 UTC
Created attachment 225187 [details]
Updated patch file

Stop updating to newer version and only add upstream patch to fix CVE-2021-3541 instead.

It it found build of textproc/libxslt is fails with 2.9.12. So stop updating to newer version and only add upstream patch to fix CVE-2021-3541 instead.
Comment 3 Yasuhiro Kimura freebsd_committer 2021-05-23 07:05:52 UTC
Since updated patch only fixes CVE-2021-3541, I withdraw exp-run request.
Comment 4 commit-hook freebsd_committer 2021-05-23 14:33:18 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=83889bd6875d128b44342dd3cd58fe6027b98542

commit 83889bd6875d128b44342dd3cd58fe6027b98542
Author:     Yasuhiro Kimura <yasu@utahime.org>
AuthorDate: 2021-05-23 14:27:31 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-05-23 14:31:54 +0000

    textproc/libxml2: add upstream fix for CVE-2021-3541

    This is relapted to parameter entities expansion and following
    the line of the billion laugh attack. Somehow in that path the
    counting of parameters was missed and the normal algorithm based
    on entities "density" was useless.

    PR:             256094
    Obtained from:  https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
    Security:       CVE-2021-3541

 textproc/libxml2/Makefile                        |  2 +-
 textproc/libxml2/files/patch-CVE-2021-3541 (new) | 67 ++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)
Comment 5 commit-hook freebsd_committer 2021-05-23 14:36:19 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d1aa619eee6b57face171474c3166f4112447f26

commit d1aa619eee6b57face171474c3166f4112447f26
Author:     Yasuhiro Kimura <yasu@utahime.org>
AuthorDate: 2021-05-23 14:27:31 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-05-23 14:35:28 +0000

    textproc/libxml2: add upstream fix for CVE-2021-3541

    This is relapted to parameter entities expansion and following
    the line of the billion laugh attack. Somehow in that path the
    counting of parameters was missed and the normal algorithm based
    on entities "density" was useless.

    PR:             256094
    Obtained from:  https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
    Security:       CVE-2021-3541

    (cherry picked from commit 83889bd6875d128b44342dd3cd58fe6027b98542)

 textproc/libxml2/Makefile                        |  2 +-
 textproc/libxml2/files/patch-CVE-2021-3541 (new) | 67 ++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)
Comment 6 Tobias C. Berner freebsd_committer 2021-05-23 14:48:04 UTC
Committed, and MFH-ed -- thanks a lot :)


mfg Tobias