Date: Sun, 20 Sep 2009 17:40:33 +0200 (CEST) From: olli hauer <ohauer@gmx.de> To: FreeBSD-gnats-submit@FreeBSD.org, lev@FreeBSD.org Cc: ohauer@gmx.de Subject: ports/138991: [patch] port neon26 CVE-2009-2473 and CVE-2009-2474 Message-ID: <20090920154033.63F4426145@u18-124.dsl.vianetworks.de> Resent-Message-ID: <200909201550.n8KFo0aO032737@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 138991 >Category: ports >Synopsis: [patch] port neon26 CVE-2009-2474 and CVE-2009-2474 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Sep 20 15:50:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: olli hauer <ohauer@gmx.de> >Release: FreeBSD 7.2-RELEASE-p3 i386 >Organization: >Environment: >Description: neon26 is affected by CVE-2009-2473 and CVE-2009-2474. It is only save to forbit the whole port or allow build only with libxml2 and no ssl support. I've rewritten the build script and the build went OK with parameters -DWITH_XML -DWITHOUT_OPENSSL. The resulting lib was *not* tested since all ports except port www/neonpp depends on neon28 The neoncpp project seems dead, maybe it is more save to mark neon26 forbitten and neoncpp deprecated. //olli >How-To-Repeat: >Fix: --- patch_neon26.4.txt begins here --- --- Makefile 2009/09/20 11:32:59 1.1 +++ Makefile 2009/09/20 14:13:46 @@ -7,22 +7,42 @@ PORTNAME= neon26 PORTVERSION= 0.26.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www -MASTER_SITES= http://www.webdav.org/neon/ \ - http://keyserver.kjsl.com/~jharris/distfiles/ +MASTER_SITES= http://www.webdav.org/neon/ DISTNAME= neon-${PORTVERSION} MAINTAINER= lev@FreeBSD.org COMMENT= An HTTP and WebDAV client library for Unix systems -LIB_DEPENDS= expat.6:${PORTSDIR}/textproc/expat2 - -CONFLICTS= neon28-[0-9]* +CONFLICTS= neon2[8|9]-[0-9]* USE_AUTOTOOLS= libtool:22 USE_LDCONFIG= yes +USE_GNOME= gnomehack gnometarget +GNU_CONFIGURE= yes +CONFIGURE_ARGS= --enable-shared \ + --with-libs=${LOCALBASE}:${PREFIX} + +# expat is default unless WITH_XML is choosen +.if !defined(WITHOUT_EXPAT) && !defined(WITH_XML) +FORBIDDEN= see CVE-2009-2473 and CVE-2009-2474 please use neon28 or neon29 instead +CONFIGURE_ARGS+= --with-expat +LIB_DEPENDS+= expat.6:${PORTSDIR}/textproc/expat2 +.endif + +.if defined(WITH_XML) +CONFIGURE_ARGS+=--with-libxml2 +LIB_DEPENDS+= xml2.5:${PORTSDIR}/textproc/libxml2 +.endif + +.ifndef WITHOUT_OPENSSL +FORBIDDEN= see CVE-2009-2474 please use neon28 or neon29 instead +USE_OPENSSL= yes +CONFIGURE_ARGS+=--with-ssl +.endif + .if defined(WITHOUT_NLS) CONFIGURE_ARGS+=--disable-nls PLIST_SUB+= NLS="@comment " @@ -31,18 +51,6 @@ PLIST_SUB+= NLS="" .endif -.ifndef WITHOUT_OPENSSL -USE_OPENSSL= yes -.endif - -USE_GNOME= gnomehack gnometarget -GNU_CONFIGURE= yes -CONFIGURE_ARGS= --with-ssl \ - --enable-xml \ - --enable-shared \ - --with-expat \ - --with-libs=${PREFIX} - MAN1= neon-config.1 MAN3= ne_add_request_header.3 ne_addr_resolve.3 ne_buffer.3 \ ne_buffer_append.3 ne_buffer_clear.3 ne_buffer_create.3 \ @@ -116,6 +124,12 @@ DOCSDIR:= ${DOCSDIR:S/26//} +pre-everything:: +.if defined(WITH_EXPAT) && defined(WITH_XML) + @${ECHO_CMD} "please choose between expat and libxml2 not both" + @${FALSE} +.endif + post-install: ${INSTALL_MAN} ${WRKSRC}/doc/man/*.1 ${MANPREFIX}/man/man1 ${INSTALL_MAN} ${WRKSRC}/doc/man/*.3 ${MANPREFIX}/man/man3 --- patch_neon26.4.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090920154033.63F4426145>