From nobody Sun Jan 09 13:37:27 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D03E71943543; Sun, 9 Jan 2022 13:37:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JWygW3xCWz3LDV; Sun, 9 Jan 2022 13:37:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 62A5B12E60; Sun, 9 Jan 2022 13:37:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 209DbRK2076833; Sun, 9 Jan 2022 13:37:27 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 209DbRLQ076832; Sun, 9 Jan 2022 13:37:27 GMT (envelope-from git) Date: Sun, 9 Jan 2022 13:37:27 GMT Message-Id: <202201091337.209DbRLQ076832@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Thomas Zander Subject: git: 0d1194eee10d - main - security/vuxml: Document vulnerabilities in net/uniparser before 0.9.6 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: riggs X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0d1194eee10d5cf02f9b619cdfdd1cec8aa709a4 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1641735447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Zym8kv+Kk1JqkaU6WbXZ31ZDjN5WIjlYdwxpcddbLoA=; b=F8TgcPdrrI7IemVWu9JJXpmRANtIRpldVMLr4wyNg3tyaYUBL2Bpweh6IZthJmNHgWZpn0 V7SXbHzVnYkDckUtQKCz4gsnXIXdQhCSa89p4Hrltoxep6VZDdMZf1QZ2v2Rhcl0pIOL9c TtYciZZjSKZmgnSkqubpUBab9UZt6WzMfRAvRNaP3rIdCAGkmu5SNwyIUA8wOJFJ3IXYp1 W8WPJEexYSg2O+eS4NhbKsP5f1N4C1TIrSD6rYQ5m9rKpt7+lelfJhcpuXltwyotnc+mkm w4yVl6cctPaFoBjyomXK7iH6xAC258ENQCxguPAlXiDrCD8RrpYZSpV5bD6d+Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1641735447; a=rsa-sha256; cv=none; b=XuZy5wPshN0G1toS2TJ7sF3cioFdIyNXpS2NU5UGveCHGLPaS1bhWbfZnXYb/9v/O6G82e tH4iKh3yo3kW9zcirCX71yiA9cg4+QG2DvQkclCIuUvMTIBGGwsXVyo8kMDVO82p0N1qK1 rhKk57qleqgt8w8AIa90vLZCR5t5+Kl3VgkBQPeO8gLYZJK1OM3KyguVl0JUy7LOyNHaPm jXydHZBUisxaFJ4jmDRJsPx6ZDGZiuwzpixPQGmqfZrdwe7g0TFOVF72AfasRg7pCjfKhW dCRhkD4VNLZrfGPyKq2cpkrA4acPwYrdWwTBKZeF4VwgQX2/Z7u/wN6PuHCiOw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by riggs: URL: https://cgit.FreeBSD.org/ports/commit/?id=0d1194eee10d5cf02f9b619cdfdd1cec8aa709a4 commit 0d1194eee10d5cf02f9b619cdfdd1cec8aa709a4 Author: Thomas Zander AuthorDate: 2022-01-09 13:34:01 +0000 Commit: Thomas Zander CommitDate: 2022-01-09 13:37:24 +0000 security/vuxml: Document vulnerabilities in net/uniparser before 0.9.6 PR: 261056 Security: CVE-2021-46141 CVE-2021-46142 --- security/vuxml/vuln-2022.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index fb30d1dcd7fc..1af266852b4f 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,44 @@ + + uriparser -- Multiple vulnerabilities + + + uriparser + 0.9.6 + + + + +

Upstream project reports:

+
+

Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner* + functions where the text range in .hostText would not be duped using + malloc but remain unchanged (and hence "not owned") for URIs with + an IPv4 or IPv6 address hostname; depending on how an application + uses uriparser, this could lead the application into a use-after-free + situation. + As the second half, fix uriFreeUriMembers* functions that would not + free .hostText memory for URIs with an IPv4 or IPv6 address host; + also, calling uriFreeUriMembers* multiple times on a URI of this + very nature would result in trying to free pointers to stack + (rather than heap) memory. + Fix functions uriNormalizeSyntax* for out-of-memory situations + (i.e. malloc returning NULL) for URIs containing empty segments + (any of user info, host text, query, or fragment) where previously + pointers to stack (rather than heap) memory were freed.

+
+ + + + CVE-2021-46141 + CVE-2021-46142 + https://github.com/uriparser/uriparser/blob/uriparser-0.9.6/ChangeLog + + + 2022-01-06 + 2022-01-09 + + + Django -- multiple vulnerabilities