Bug 281090 - graphics/exiv2: update 0.28.2 → 0.28.3, fix CVE-2024-39695
Summary: graphics/exiv2: update 0.28.2 → 0.28.3, fix CVE-2024-39695
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-multimedia (Nobody)
URL: https://exiv2.org/whatsnew.html
Keywords: security
Depends on:
Blocks:
 
Reported: 2024-08-27 10:22 UTC by Älven
Modified: 2024-09-07 10:06 UTC (History)
4 users (show)

See Also:
jhale: maintainer-feedback+

Attachments
[PATCH] graphics/exiv2: update 0.28.2 → 0.28.3, fix CVE-2024-39695 (3.89 KB, patch)
2024-08-27 10:22 UTC, Älven 		alster: maintainer-approval? (multimedia)
 Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Älven 2024-08-27 10:22:15 UTC 
Created attachment 253121 [details]
[PATCH] graphics/exiv2: update 0.28.2 → 0.28.3, fix CVE-2024-39695

https://nvd.nist.gov/vuln/detail/CVE-2024-39695
Comment 1 Daniel Engberg freebsd_committer freebsd_triage 2024-08-27 22:01:52 UTC 
Please keep the current Makefile layout, runtime tested? Did you test this in Poudriere?
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-09-07 09:29:54 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5594c90dd6631d467c5a00798aaf7d811dbc038a

commit 5594c90dd6631d467c5a00798aaf7d811dbc038a
Author:     Jason E. Hale <jhale@FreeBSD.org>
AuthorDate: 2024-09-07 09:04:01 +0000
Commit:     Jason E. Hale <jhale@FreeBSD.org>
CommitDate: 2024-09-07 09:29:10 +0000

    graphics/exiv2: Update to 0.28.3

    https://github.com/Exiv2/exiv2/releases/tag/v0.28.3

    PR:             281090
    Reported by:    Alven <alster@vinterdalen.se>
    MFH:            2024Q3
    Security:       3e44c35f-6cf4-11ef-b813-4ccc6adda413

 graphics/exiv2/Makefile  | 8 +++-----
 graphics/exiv2/distinfo  | 6 +++---
 graphics/exiv2/pkg-plist | 9 ++++++---
 3 files changed, 12 insertions(+), 11 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-09-07 09:33:56 UTC 
A commit in branch 2024Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f71b144a165b96b0f1aa7acaec3267dbc9dfa79a

commit f71b144a165b96b0f1aa7acaec3267dbc9dfa79a
Author:     Jason E. Hale <jhale@FreeBSD.org>
AuthorDate: 2024-09-07 09:04:01 +0000
Commit:     Jason E. Hale <jhale@FreeBSD.org>
CommitDate: 2024-09-07 09:32:56 +0000

    graphics/exiv2: Update to 0.28.3

    https://github.com/Exiv2/exiv2/releases/tag/v0.28.3

    PR:             281090
    Reported by:    Alven <alster@vinterdalen.se>
    MFH:            2024Q3
    Security:       3e44c35f-6cf4-11ef-b813-4ccc6adda413

    (cherry picked from commit 5594c90dd6631d467c5a00798aaf7d811dbc038a)

 graphics/exiv2/Makefile  | 7 +++----
 graphics/exiv2/distinfo  | 6 +++---
 graphics/exiv2/pkg-plist | 9 ++++++---
 3 files changed, 12 insertions(+), 10 deletions(-)
Comment 4 Jason E. Hale freebsd_committer freebsd_triage 2024-09-07 10:06:21 UTC 
Thanks for using portclippy(1), but it sometimes makes questionable edits. E.g., having a special place for SHEBANG_FILES, but not for DOS2UNIX_FILES makes no sense. <OPTION>_IMPLIES at the top of the option block might be alright, but portclippy wants <OPTION>_DESC in a separate block, which is, IMHO, egregious.

To reduce churn and to keep certain people from having a spasm, including myself, I've reduced the changes to the Makefile. There were more important problems to address anyways, like dependencies.

I've added an entry to security/vuxml for CVE-2024-39695.