Bug 256436 - textproc/libxml2: Update to 2.9.12 (fixes several vulnerabilities)
Summary: textproc/libxml2: Update to 2.9.12 (fixes several vulnerabilities)
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-desktop (Team)
URL: http://www.xmlsoft.org/news.html
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2021-06-06 09:42 UTC by Daniel Engberg
Modified: 2021-06-12 21:07 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (desktop)
koobs: merge-quarterly?


Attachments
Patch for libxml2 (26.76 KB, patch)
2021-06-06 09:42 UTC, Daniel Engberg
no flags Details | Diff
Patch for libxml2 v2 (28.53 KB, patch)
2021-06-09 20:03 UTC, Daniel Engberg
no flags Details | Diff
Patch for libxml2 v3 (30.38 KB, patch)
2021-06-12 21:07 UTC, Daniel Engberg
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Engberg 2021-06-06 09:42:46 UTC
Created attachment 225587 [details]
Patch for libxml2

Update libxml2 to 2.9.12
Backport following commits:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/85b1792e37b131e7a51af98a37f92472e8de5f3f
https://gitlab.gnome.org/GNOME/libxml2/-/commit/13ad8736d294536da4cbcd70a96b0a2fbf47070c
https://gitlab.gnome.org/GNOME/libxml2/-/commit/3e1aad4fe584747fd7d17cc7b2863a78e2d21a77

Compile and runtime tested on 13.0-STABLE #0 stable/13-n245227-5ec4eb443e8 (amd64) (make, make check-plist, make test)
Poudriere testport OK 12.2-RELEASE (amd64)
Poudriere testport OK 11.4-RELEASE (amd64)

textproc/py-libxml2:
Poudriere testport OK 12.2-RELEASE (amd64)
Poudriere testport OK 11.4-RELEASE (amd64)
Comment 1 Daniel Engberg 2021-06-06 09:43:36 UTC
When compiling tests -pthread needs to passed, not sure how to handle that in a nice way (see patch).
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-06 12:27:18 UTC
^Triage: Security and bugfix releases, MFH.

@Daniel Is there a canonical source for the 2.9.10-12 release notes? I see only a single CVE reference for .11 (CVE-2021-3541) but see other CVE's being referenced elsewhere online that affect .10 too.

CVE-2019-20388
CVE-2020-24977
CVE-2021-3517
CVE-2021-3518
CVE-2021-3537
CVE-2021-3516
CVE-2020-7595
Comment 3 Daniel Engberg 2021-06-06 13:08:43 UTC
@Koobs

https://gitlab.gnome.org/GNOME/libxml2/-/commit/b48e77cf4f6fa0792c5f4b639707a2b0675e461b

That's the only commit between .11 and .12

There's no (to my knowledge) other source by upstream except for the commit log.
Comment 4 Daniel Engberg 2021-06-09 20:03:23 UTC
Created attachment 225669 [details]
Patch for libxml2 v2

Fix tests
Comment 5 Daniel Engberg 2021-06-12 21:07:05 UTC
Created attachment 225761 [details]
Patch for libxml2 v3

Backport https://gitlab.gnome.org/GNOME/libxml2/-/commit/92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f