Date: Thu, 04 Jun 2015 11:04:40 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 200631] www/tidy-devel: buffer overflow Message-ID: <bug-200631-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200631 Bug ID: 200631 Summary: www/tidy-devel: buffer overflow Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: thierry@FreeBSD.org Reporter: walter@lifeforms.nl Assignee: thierry@FreeBSD.org Flags: maintainer-feedback?(thierry@FreeBSD.org) A security issue (buffer overflow in parsing HTML) has been fixed in tidy 4.9.31. https://github.com/htacg/tidy-html5/issues/217 It seems there are a few versions of tidy in the ports tree: - www/tidy-html5 is tidy 4.9.30, which should be bumped to 4.9.31 - www/tidy-devel is libtidy-0.99 or tidy 090315-cvs on sourceforge, which looks abandoned since 2009 - www/tidy-lib just depends on tidy-devel - www/tidy is tidy 20000804, and looks abandoned since 2000 If I parse the github issue correctly: - www/tidy-html5 is vulnerable - www/tidy-devel is vulnerable. It has the affected code part in tmbstr.c. Bug report says: "I can confirm this BUG exists in the 2008/9 libtidy.0.99.so last release, the sourceforge cvs tidy, which is still present in some distributions. Just the quite unique nature of using 'code' ending in spaces or a newline just before an attribute with a 'blank' value prevents it from being seens more often." - www/tidy seems NOT vulnerable. It does not seem to have the affected code snippet. Bug report says: "Interestingly, it is NOT present in TidyAug2000 [...]" The solution for www/tidy-html5 seems a trivial version bump, but the www/tidy-devel upstream seems unmaintained, so we possibly should add a patch. Alternatively, if tidy-html5 is more-or-less a drop-in replacement for tidy-devel, it might be a good moment to get rid of the unmaintained www/tidy and www/tidy-devel ports. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200631-13>