Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Sep 2009 17:40:33 +0200 (CEST)
From:      olli hauer <ohauer@gmx.de>
To:        FreeBSD-gnats-submit@FreeBSD.org, lev@FreeBSD.org
Cc:        ohauer@gmx.de
Subject:   ports/138991: [patch] port neon26 CVE-2009-2473 and CVE-2009-2474
Message-ID:  <20090920154033.63F4426145@u18-124.dsl.vianetworks.de>
Resent-Message-ID: <200909201550.n8KFo0aO032737@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         138991
>Category:       ports
>Synopsis:       [patch] port neon26 CVE-2009-2474 and CVE-2009-2474
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 20 15:50:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     olli hauer <ohauer@gmx.de>
>Release:        FreeBSD 7.2-RELEASE-p3 i386
>Organization:
>Environment:


>Description:
neon26 is affected by CVE-2009-2473 and CVE-2009-2474.

It is only save to forbit the whole port or allow build only with 
libxml2 and no ssl support.

I've rewritten the build script and the build went OK with
parameters -DWITH_XML -DWITHOUT_OPENSSL.

The resulting lib was *not* tested since all ports except port
www/neonpp depends on neon28

The neoncpp project seems dead, maybe it is more save to mark neon26
forbitten and neoncpp deprecated.


//olli

>How-To-Repeat:
>Fix:
--- patch_neon26.4.txt begins here ---
--- Makefile	2009/09/20 11:32:59	1.1
+++ Makefile	2009/09/20 14:13:46
@@ -7,22 +7,42 @@
 
 PORTNAME=	neon26
 PORTVERSION=	0.26.4
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
-MASTER_SITES=	http://www.webdav.org/neon/ \
-		http://keyserver.kjsl.com/~jharris/distfiles/
+MASTER_SITES=	http://www.webdav.org/neon/
 DISTNAME=	neon-${PORTVERSION}
 
 MAINTAINER=	lev@FreeBSD.org
 COMMENT=	An HTTP and WebDAV client library for Unix systems
 
-LIB_DEPENDS=	expat.6:${PORTSDIR}/textproc/expat2
-
-CONFLICTS=	neon28-[0-9]*
+CONFLICTS=	neon2[8|9]-[0-9]*
 
 USE_AUTOTOOLS=	libtool:22
 USE_LDCONFIG=	yes
 
+USE_GNOME=	gnomehack gnometarget
+GNU_CONFIGURE=	yes
+CONFIGURE_ARGS= --enable-shared \
+		--with-libs=${LOCALBASE}:${PREFIX}
+
+# expat is default unless WITH_XML is choosen
+.if !defined(WITHOUT_EXPAT) && !defined(WITH_XML)
+FORBIDDEN= see CVE-2009-2473 and CVE-2009-2474 please use neon28 or neon29 instead
+CONFIGURE_ARGS+= --with-expat
+LIB_DEPENDS+=	expat.6:${PORTSDIR}/textproc/expat2
+.endif
+
+.if defined(WITH_XML)
+CONFIGURE_ARGS+=--with-libxml2
+LIB_DEPENDS+=   xml2.5:${PORTSDIR}/textproc/libxml2
+.endif
+
+.ifndef WITHOUT_OPENSSL
+FORBIDDEN= see CVE-2009-2474 please use neon28 or neon29 instead
+USE_OPENSSL=	yes
+CONFIGURE_ARGS+=--with-ssl
+.endif
+
 .if defined(WITHOUT_NLS)
 CONFIGURE_ARGS+=--disable-nls
 PLIST_SUB+=	NLS="@comment "
@@ -31,18 +51,6 @@
 PLIST_SUB+=	NLS=""
 .endif
 
-.ifndef WITHOUT_OPENSSL
-USE_OPENSSL=	yes
-.endif
-
-USE_GNOME=	gnomehack gnometarget
-GNU_CONFIGURE=	yes
-CONFIGURE_ARGS=	--with-ssl \
-		--enable-xml \
-		--enable-shared \
-		--with-expat \
-		--with-libs=${PREFIX}
-
 MAN1=	neon-config.1
 MAN3=	ne_add_request_header.3 ne_addr_resolve.3 ne_buffer.3 \
 	ne_buffer_append.3 ne_buffer_clear.3 ne_buffer_create.3 \
@@ -116,6 +124,12 @@
 
 DOCSDIR:=	${DOCSDIR:S/26//}
 
+pre-everything::
+.if defined(WITH_EXPAT) && defined(WITH_XML)
+	@${ECHO_CMD} "please choose between expat and libxml2 not both"
+	@${FALSE}
+.endif
+
 post-install:
 	${INSTALL_MAN} ${WRKSRC}/doc/man/*.1 ${MANPREFIX}/man/man1
 	${INSTALL_MAN} ${WRKSRC}/doc/man/*.3 ${MANPREFIX}/man/man3
--- patch_neon26.4.txt ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090920154033.63F4426145>