ports/138991: [patch] port neon26 CVE-2009-2473 and CVE-2009-2474
olli hauer
ohauer at gmx.de
Sun Sep 20 15:50:01 UTC 2009
>Number: 138991
>Category: ports
>Synopsis: [patch] port neon26 CVE-2009-2474 and CVE-2009-2474
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun Sep 20 15:50:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: olli hauer <ohauer at gmx.de>
>Release: FreeBSD 7.2-RELEASE-p3 i386
>Organization:
>Environment:
>Description:
neon26 is affected by CVE-2009-2473 and CVE-2009-2474.
It is only save to forbit the whole port or allow build only with
libxml2 and no ssl support.
I've rewritten the build script and the build went OK with
parameters -DWITH_XML -DWITHOUT_OPENSSL.
The resulting lib was *not* tested since all ports except port
www/neonpp depends on neon28
The neoncpp project seems dead, maybe it is more save to mark neon26
forbitten and neoncpp deprecated.
//olli
>How-To-Repeat:
>Fix:
--- patch_neon26.4.txt begins here ---
--- Makefile 2009/09/20 11:32:59 1.1
+++ Makefile 2009/09/20 14:13:46
@@ -7,22 +7,42 @@
PORTNAME= neon26
PORTVERSION= 0.26.4
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= www
-MASTER_SITES= http://www.webdav.org/neon/ \
- http://keyserver.kjsl.com/~jharris/distfiles/
+MASTER_SITES= http://www.webdav.org/neon/
DISTNAME= neon-${PORTVERSION}
MAINTAINER= lev at FreeBSD.org
COMMENT= An HTTP and WebDAV client library for Unix systems
-LIB_DEPENDS= expat.6:${PORTSDIR}/textproc/expat2
-
-CONFLICTS= neon28-[0-9]*
+CONFLICTS= neon2[8|9]-[0-9]*
USE_AUTOTOOLS= libtool:22
USE_LDCONFIG= yes
+USE_GNOME= gnomehack gnometarget
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS= --enable-shared \
+ --with-libs=${LOCALBASE}:${PREFIX}
+
+# expat is default unless WITH_XML is choosen
+.if !defined(WITHOUT_EXPAT) && !defined(WITH_XML)
+FORBIDDEN= see CVE-2009-2473 and CVE-2009-2474 please use neon28 or neon29 instead
+CONFIGURE_ARGS+= --with-expat
+LIB_DEPENDS+= expat.6:${PORTSDIR}/textproc/expat2
+.endif
+
+.if defined(WITH_XML)
+CONFIGURE_ARGS+=--with-libxml2
+LIB_DEPENDS+= xml2.5:${PORTSDIR}/textproc/libxml2
+.endif
+
+.ifndef WITHOUT_OPENSSL
+FORBIDDEN= see CVE-2009-2474 please use neon28 or neon29 instead
+USE_OPENSSL= yes
+CONFIGURE_ARGS+=--with-ssl
+.endif
+
.if defined(WITHOUT_NLS)
CONFIGURE_ARGS+=--disable-nls
PLIST_SUB+= NLS="@comment "
@@ -31,18 +51,6 @@
PLIST_SUB+= NLS=""
.endif
-.ifndef WITHOUT_OPENSSL
-USE_OPENSSL= yes
-.endif
-
-USE_GNOME= gnomehack gnometarget
-GNU_CONFIGURE= yes
-CONFIGURE_ARGS= --with-ssl \
- --enable-xml \
- --enable-shared \
- --with-expat \
- --with-libs=${PREFIX}
-
MAN1= neon-config.1
MAN3= ne_add_request_header.3 ne_addr_resolve.3 ne_buffer.3 \
ne_buffer_append.3 ne_buffer_clear.3 ne_buffer_create.3 \
@@ -116,6 +124,12 @@
DOCSDIR:= ${DOCSDIR:S/26//}
+pre-everything::
+.if defined(WITH_EXPAT) && defined(WITH_XML)
+ @${ECHO_CMD} "please choose between expat and libxml2 not both"
+ @${FALSE}
+.endif
+
post-install:
${INSTALL_MAN} ${WRKSRC}/doc/man/*.1 ${MANPREFIX}/man/man1
${INSTALL_MAN} ${WRKSRC}/doc/man/*.3 ${MANPREFIX}/man/man3
--- patch_neon26.4.txt ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list