Date: Sun, 22 Jun 2025 10:13:39 +0200 From: Daniel Engberg <diizzy@FreeBSD.org> To: "Herbert J. Skuhra" <herbert@gojira.at> Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: Re: git: fb3e1d5f3dd2 - main - textproc/libxml2: backport upstream commits fixing CVEs Message-ID: <f2dca131-d3a1-49af-9e4e-f3ab79acfd19@FreeBSD.org> In-Reply-To: <87qzzcb4t6.wl-herbert@gojira.at> References: <202506211857.55LIvRIE027934@gitrepo.freebsd.org> <87qzzcb4t6.wl-herbert@gojira.at>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 2025-06-22 09:42, Herbert J. Skuhra wrote: > On Sat, 21 Jun 2025 20:57:27 +0200, Charlie Li wrote: >> The branch main has been updated by vishwin: >> >> URL:https://cgit.FreeBSD.org/ports/commit/?id=fb3e1d5f3dd216ef419a40570c1a97f1ee28a47f >> >> commit fb3e1d5f3dd216ef419a40570c1a97f1ee28a47f >> Author: Charlie Li<vishwin@FreeBSD.org> >> AuthorDate: 2025-06-21 18:55:14 +0000 >> Commit: Charlie Li<vishwin@FreeBSD.org> >> CommitDate: 2025-06-21 18:55:14 +0000 >> >> textproc/libxml2: backport upstream commits fixing CVEs >> >> [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd >> [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements >> [CVE-2025-32414] python: Read at most len/4 characters. >> >> PR: 287391 >> --- >> textproc/libxml2/Makefile | 7 ++++++- >> textproc/libxml2/distinfo | 8 +++++++- >> textproc/py-libxml2/Makefile | 2 +- >> 3 files changed, 14 insertions(+), 3 deletions(-) >> >> diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile >> index 251af286f36d..67c3243418bf 100644 >> --- a/textproc/libxml2/Makefile >> +++ b/textproc/libxml2/Makefile >> @@ -1,10 +1,15 @@ >> PORTNAME= libxml2 >> DISTVERSION= 2.11.9 >> -PORTREVISION?= 0 >> +PORTREVISION?= 1 >> CATEGORIES?= textproc gnome >> MASTER_SITES= GNOME >> DIST_SUBDIR= gnome >> >> +PATCH_SITES= https://gitlab.gnome.org/GNOME/${PORTNAME}/-/commit/ >> +PATCHFILES+= 245b70d7d2768572ae1b05b3668ca858b9ec4ed4.patch:-p1 # CVE-2024-56171 >> +PATCHFILES+= 858ca26c0689161a6b903a6682cc8a1cc10a0ea8.patch:-p1 # CVE-2025-24928 >> +PATCHFILES+= d7657811964eac1cb9743bb98649278ad948f0d2.patch:-p1 # CVE-2025-32414 >> + >> MAINTAINER= desktop@FreeBSD.org >> COMMENT?= XML parser library for GNOME >> WWW= http://xmlsoft.org/ >> diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo >> index 4ea4340dc6f1..fc9a1ddad574 100644 >> --- a/textproc/libxml2/distinfo >> +++ b/textproc/libxml2/distinfo >> @@ -1,3 +1,9 @@ >> -TIMESTAMP = 1725749707 >> +TIMESTAMP = 1750532030 >> SHA256 (gnome/libxml2-2.11.9.tar.xz) = 780157a1efdb57188ec474dca87acaee67a3a839c2525b2214d318228451809f >> SIZE (gnome/libxml2-2.11.9.tar.xz) = 2627500 >> +SHA256 (gnome/245b70d7d2768572ae1b05b3668ca858b9ec4ed4.patch) = 5fb5bed3c40fee5ecb60dbf96fd6c5071f08a54487f534540c54bc9cb6d5b16e >> +SIZE (gnome/245b70d7d2768572ae1b05b3668ca858b9ec4ed4.patch) = 1273 >> +SHA256 (gnome/858ca26c0689161a6b903a6682cc8a1cc10a0ea8.patch) = e3585a9e59f3146a53a1091fd00378e81676a824feab037cd8d71807cea73c73 >> +SIZE (gnome/858ca26c0689161a6b903a6682cc8a1cc10a0ea8.patch) = 1806 >> +SHA256 (gnome/d7657811964eac1cb9743bb98649278ad948f0d2.patch) = 3d7e10866d8be511da64bee6a998c4f68785326bf0d403af7be6745830d9bca2 >> +SIZE (gnome/d7657811964eac1cb9743bb98649278ad948f0d2.patch) = 2526 >> diff --git a/textproc/py-libxml2/Makefile b/textproc/py-libxml2/Makefile >> index 7633fdebb4a1..a9ff9bf0a9c7 100644 >> --- a/textproc/py-libxml2/Makefile >> +++ b/textproc/py-libxml2/Makefile >> @@ -1,4 +1,4 @@ >> -PORTREVISION= 2 >> +PORTREVISION= 3 >> CATEGORIES= textproc gnome python >> PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} > Is there something wrong with security/vuxml/vuln/2025.xml? > > # pkg audit -F > vulnxml file up-to-date > libxml2-2.11.9_1 is vulnerable: > libxml2 -- Out-of-bounds memory access > CVE: CVE-2025-32414 > WWW:https://vuxml.FreeBSD.org/freebsd/2926c487-3e53-11f0-95d4-00a098b42aeb.html > > libxml2 -- Use After Free > CVE: CVE-2024-56171 > WWW:https://vuxml.FreeBSD.org/freebsd/bd2af307-3e50-11f0-95d4-00a098b42aeb.html > > libxml2 -- Stack-based Buffer Overflow > CVE: CVE-2025-24928 > WWW:https://vuxml.FreeBSD.org/freebsd/fdd02be0-3e50-11f0-95d4-00a098b42aeb.html > > 3 problem(s) in 1 package(s) found. > > $ ls -l /var/db/pkg/vuln.xml > -r--r--r-- 1 root wheel 8690093 Jun 21 17:45 /var/db/pkg/vuln.xml Hi, It takes about 12-24h for VuXML entries to get update. Best regards, Daniel [-- Attachment #2 --] <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <div class="moz-cite-prefix">On 2025-06-22 09:42, Herbert J. Skuhra wrote:<br> </div> <blockquote type="cite" cite="mid:87qzzcb4t6.wl-herbert@gojira.at"> <pre wrap="" class="moz-quote-pre">On Sat, 21 Jun 2025 20:57:27 +0200, Charlie Li wrote: </pre> <blockquote type="cite"> <pre wrap="" class="moz-quote-pre"> The branch main has been updated by vishwin: URL: <a class="moz-txt-link-freetext" href="https://cgit.FreeBSD.org/ports/commit/?id=fb3e1d5f3dd216ef419a40570c1a97f1ee28a47f">https://cgit.FreeBSD.org/ports/commit/?id=fb3e1d5f3dd216ef419a40570c1a97f1ee28a47f</a>; commit fb3e1d5f3dd216ef419a40570c1a97f1ee28a47f Author: Charlie Li <a class="moz-txt-link-rfc2396E" href="mailto:vishwin@FreeBSD.org"><vishwin@FreeBSD.org></a> AuthorDate: 2025-06-21 18:55:14 +0000 Commit: Charlie Li <a class="moz-txt-link-rfc2396E" href="mailto:vishwin@FreeBSD.org"><vishwin@FreeBSD.org></a> CommitDate: 2025-06-21 18:55:14 +0000 textproc/libxml2: backport upstream commits fixing CVEs [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements [CVE-2025-32414] python: Read at most len/4 characters. PR: 287391 --- textproc/libxml2/Makefile | 7 ++++++- textproc/libxml2/distinfo | 8 +++++++- textproc/py-libxml2/Makefile | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile index 251af286f36d..67c3243418bf 100644 --- a/textproc/libxml2/Makefile +++ b/textproc/libxml2/Makefile @@ -1,10 +1,15 @@ PORTNAME= libxml2 DISTVERSION= 2.11.9 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES?= textproc gnome MASTER_SITES= GNOME DIST_SUBDIR= gnome +PATCH_SITES= <a class="moz-txt-link-freetext" href="https://gitlab.gnome.org/GNOME/$">https://gitlab.gnome.org/GNOME/$</a>{PORTNAME}/-/commit/ +PATCHFILES+= 245b70d7d2768572ae1b05b3668ca858b9ec4ed4.patch:-p1 # CVE-2024-56171 +PATCHFILES+= 858ca26c0689161a6b903a6682cc8a1cc10a0ea8.patch:-p1 # CVE-2025-24928 +PATCHFILES+= d7657811964eac1cb9743bb98649278ad948f0d2.patch:-p1 # CVE-2025-32414 + MAINTAINER= <a class="moz-txt-link-abbreviated" href="mailto:desktop@FreeBSD.org">desktop@FreeBSD.org</a> COMMENT?= XML parser library for GNOME WWW= <a class="moz-txt-link-freetext" href="http://xmlsoft.org/">http://xmlsoft.org/</a>; diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo index 4ea4340dc6f1..fc9a1ddad574 100644 --- a/textproc/libxml2/distinfo +++ b/textproc/libxml2/distinfo @@ -1,3 +1,9 @@ -TIMESTAMP = 1725749707 +TIMESTAMP = 1750532030 SHA256 (gnome/libxml2-2.11.9.tar.xz) = 780157a1efdb57188ec474dca87acaee67a3a839c2525b2214d318228451809f SIZE (gnome/libxml2-2.11.9.tar.xz) = 2627500 +SHA256 (gnome/245b70d7d2768572ae1b05b3668ca858b9ec4ed4.patch) = 5fb5bed3c40fee5ecb60dbf96fd6c5071f08a54487f534540c54bc9cb6d5b16e +SIZE (gnome/245b70d7d2768572ae1b05b3668ca858b9ec4ed4.patch) = 1273 +SHA256 (gnome/858ca26c0689161a6b903a6682cc8a1cc10a0ea8.patch) = e3585a9e59f3146a53a1091fd00378e81676a824feab037cd8d71807cea73c73 +SIZE (gnome/858ca26c0689161a6b903a6682cc8a1cc10a0ea8.patch) = 1806 +SHA256 (gnome/d7657811964eac1cb9743bb98649278ad948f0d2.patch) = 3d7e10866d8be511da64bee6a998c4f68785326bf0d403af7be6745830d9bca2 +SIZE (gnome/d7657811964eac1cb9743bb98649278ad948f0d2.patch) = 2526 diff --git a/textproc/py-libxml2/Makefile b/textproc/py-libxml2/Makefile index 7633fdebb4a1..a9ff9bf0a9c7 100644 --- a/textproc/py-libxml2/Makefile +++ b/textproc/py-libxml2/Makefile @@ -1,4 +1,4 @@ -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= textproc gnome python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} </pre> </blockquote> <pre wrap="" class="moz-quote-pre"> Is there something wrong with security/vuxml/vuln/2025.xml? # pkg audit -F vulnxml file up-to-date libxml2-2.11.9_1 is vulnerable: libxml2 -- Out-of-bounds memory access CVE: CVE-2025-32414 WWW: <a class="moz-txt-link-freetext" href="https://vuxml.FreeBSD.org/freebsd/2926c487-3e53-11f0-95d4-00a098b42aeb.html">https://vuxml.FreeBSD.org/freebsd/2926c487-3e53-11f0-95d4-00a098b42aeb.html</a>; libxml2 -- Use After Free CVE: CVE-2024-56171 WWW: <a class="moz-txt-link-freetext" href="https://vuxml.FreeBSD.org/freebsd/bd2af307-3e50-11f0-95d4-00a098b42aeb.html">https://vuxml.FreeBSD.org/freebsd/bd2af307-3e50-11f0-95d4-00a098b42aeb.html</a>; libxml2 -- Stack-based Buffer Overflow CVE: CVE-2025-24928 WWW: <a class="moz-txt-link-freetext" href="https://vuxml.FreeBSD.org/freebsd/fdd02be0-3e50-11f0-95d4-00a098b42aeb.html">https://vuxml.FreeBSD.org/freebsd/fdd02be0-3e50-11f0-95d4-00a098b42aeb.html</a>; 3 problem(s) in 1 package(s) found. $ ls -l /var/db/pkg/vuln.xml -r--r--r-- 1 root wheel 8690093 Jun 21 17:45 /var/db/pkg/vuln.xml </pre> </blockquote> <p>Hi,<br> </p> <p>It takes about 12-24h for VuXML entries to get update.<span style="white-space: pre-wrap"> </span></p> <p><span style="white-space: pre-wrap">Best regards,</span></p> <p><span style="white-space: pre-wrap">Daniel </span></p> </body> </html>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f2dca131-d3a1-49af-9e4e-f3ab79acfd19>