Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 04 Jun 2015 11:04:40 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 200631] www/tidy-devel: buffer overflow
Message-ID:  <bug-200631-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200631

            Bug ID: 200631
           Summary: www/tidy-devel: buffer overflow
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: thierry@FreeBSD.org
          Reporter: walter@lifeforms.nl
          Assignee: thierry@FreeBSD.org
             Flags: maintainer-feedback?(thierry@FreeBSD.org)

A security issue (buffer overflow in parsing HTML) has been fixed in tidy
4.9.31.

https://github.com/htacg/tidy-html5/issues/217

It seems there are a few versions of tidy in the ports tree:
- www/tidy-html5 is tidy 4.9.30, which should be bumped to 4.9.31
- www/tidy-devel is libtidy-0.99 or tidy 090315-cvs on sourceforge, which looks
abandoned since 2009
- www/tidy-lib just depends on tidy-devel
- www/tidy is tidy 20000804, and looks abandoned since 2000

If I parse the github issue correctly:
- www/tidy-html5 is vulnerable
- www/tidy-devel is vulnerable. It has the affected code part in tmbstr.c. Bug
report says: "I can confirm this BUG exists in the 2008/9 libtidy.0.99.so last
release, the sourceforge cvs tidy, which is still present in some
distributions. Just the quite unique nature of using 'code' ending in spaces or
a newline just before an attribute with a 'blank' value prevents it from being
seens more often."
- www/tidy seems NOT vulnerable. It does not seem to have the affected code
snippet. Bug report says: "Interestingly, it is NOT present in TidyAug2000
[...]"

The solution for www/tidy-html5 seems a trivial version bump, but the
www/tidy-devel upstream seems unmaintained, so we possibly should add a patch.

Alternatively, if tidy-html5 is more-or-less a drop-in replacement for
tidy-devel, it might be a good moment to get rid of the unmaintained www/tidy
and www/tidy-devel ports.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200631-13>