From owner-freebsd-ports-bugs@FreeBSD.ORG  Sun Sep 20 15:50:01 2009
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3D955106566C
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sun, 20 Sep 2009 15:50:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 19DF68FC14
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sun, 20 Sep 2009 15:50:01 +0000 (UTC)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n8KFo0Un032738
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Sun, 20 Sep 2009 15:50:00 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n8KFo0aO032737;
	Sun, 20 Sep 2009 15:50:00 GMT (envelope-from gnats)
Resent-Date: Sun, 20 Sep 2009 15:50:00 GMT
Resent-Message-Id: <200909201550.n8KFo0aO032737@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, olli hauer <ohauer@gmx.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3F88A1065693
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 20 Sep 2009 15:40:40 +0000 (UTC) (envelope-from ohauer@gmx.de)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20])
	by mx1.freebsd.org (Postfix) with SMTP id 9D5758FC28
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 20 Sep 2009 15:40:38 +0000 (UTC)
Received: (qmail invoked by alias); 20 Sep 2009 15:40:37 -0000
Received: from u18-124.dsl.vianetworks.de (EHLO u18-124.dsl.vianetworks.de)
	[194.231.39.124]
	by mail.gmx.net (mp067) with SMTP; 20 Sep 2009 17:40:37 +0200
Received: by u18-124.dsl.vianetworks.de (Postfix, from userid 1100)
	id 63F4426145; Sun, 20 Sep 2009 17:40:33 +0200 (CEST)
Message-Id: <20090920154033.63F4426145@u18-124.dsl.vianetworks.de>
Date: Sun, 20 Sep 2009 17:40:33 +0200 (CEST)
From: olli hauer <ohauer@gmx.de>
To: FreeBSD-gnats-submit@FreeBSD.org, lev@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: ohauer@gmx.de
Subject: ports/138991: [patch] port neon26 CVE-2009-2473 and CVE-2009-2474
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: olli hauer <ohauer@gmx.de>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Sep 2009 15:50:01 -0000


>Number:         138991
>Category:       ports
>Synopsis:       [patch] port neon26 CVE-2009-2474 and CVE-2009-2474
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 20 15:50:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     olli hauer <ohauer@gmx.de>
>Release:        FreeBSD 7.2-RELEASE-p3 i386
>Organization:
>Environment:


>Description:
neon26 is affected by CVE-2009-2473 and CVE-2009-2474.

It is only save to forbit the whole port or allow build only with 
libxml2 and no ssl support.

I've rewritten the build script and the build went OK with
parameters -DWITH_XML -DWITHOUT_OPENSSL.

The resulting lib was *not* tested since all ports except port
www/neonpp depends on neon28

The neoncpp project seems dead, maybe it is more save to mark neon26
forbitten and neoncpp deprecated.


//olli

>How-To-Repeat:
>Fix:
--- patch_neon26.4.txt begins here ---
--- Makefile	2009/09/20 11:32:59	1.1
+++ Makefile	2009/09/20 14:13:46
@@ -7,22 +7,42 @@
 
 PORTNAME=	neon26
 PORTVERSION=	0.26.4
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
-MASTER_SITES=	http://www.webdav.org/neon/ \
-		http://keyserver.kjsl.com/~jharris/distfiles/
+MASTER_SITES=	http://www.webdav.org/neon/
 DISTNAME=	neon-${PORTVERSION}
 
 MAINTAINER=	lev@FreeBSD.org
 COMMENT=	An HTTP and WebDAV client library for Unix systems
 
-LIB_DEPENDS=	expat.6:${PORTSDIR}/textproc/expat2
-
-CONFLICTS=	neon28-[0-9]*
+CONFLICTS=	neon2[8|9]-[0-9]*
 
 USE_AUTOTOOLS=	libtool:22
 USE_LDCONFIG=	yes
 
+USE_GNOME=	gnomehack gnometarget
+GNU_CONFIGURE=	yes
+CONFIGURE_ARGS= --enable-shared \
+		--with-libs=${LOCALBASE}:${PREFIX}
+
+# expat is default unless WITH_XML is choosen
+.if !defined(WITHOUT_EXPAT) && !defined(WITH_XML)
+FORBIDDEN= see CVE-2009-2473 and CVE-2009-2474 please use neon28 or neon29 instead
+CONFIGURE_ARGS+= --with-expat
+LIB_DEPENDS+=	expat.6:${PORTSDIR}/textproc/expat2
+.endif
+
+.if defined(WITH_XML)
+CONFIGURE_ARGS+=--with-libxml2
+LIB_DEPENDS+=   xml2.5:${PORTSDIR}/textproc/libxml2
+.endif
+
+.ifndef WITHOUT_OPENSSL
+FORBIDDEN= see CVE-2009-2474 please use neon28 or neon29 instead
+USE_OPENSSL=	yes
+CONFIGURE_ARGS+=--with-ssl
+.endif
+
 .if defined(WITHOUT_NLS)
 CONFIGURE_ARGS+=--disable-nls
 PLIST_SUB+=	NLS="@comment "
@@ -31,18 +51,6 @@
 PLIST_SUB+=	NLS=""
 .endif
 
-.ifndef WITHOUT_OPENSSL
-USE_OPENSSL=	yes
-.endif
-
-USE_GNOME=	gnomehack gnometarget
-GNU_CONFIGURE=	yes
-CONFIGURE_ARGS=	--with-ssl \
-		--enable-xml \
-		--enable-shared \
-		--with-expat \
-		--with-libs=${PREFIX}
-
 MAN1=	neon-config.1
 MAN3=	ne_add_request_header.3 ne_addr_resolve.3 ne_buffer.3 \
 	ne_buffer_append.3 ne_buffer_clear.3 ne_buffer_create.3 \
@@ -116,6 +124,12 @@
 
 DOCSDIR:=	${DOCSDIR:S/26//}
 
+pre-everything::
+.if defined(WITH_EXPAT) && defined(WITH_XML)
+	@${ECHO_CMD} "please choose between expat and libxml2 not both"
+	@${FALSE}
+.endif
+
 post-install:
 	${INSTALL_MAN} ${WRKSRC}/doc/man/*.1 ${MANPREFIX}/man/man1
 	${INSTALL_MAN} ${WRKSRC}/doc/man/*.3 ${MANPREFIX}/man/man3
--- patch_neon26.4.txt ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: