Re: git: fb3e1d5f3dd2 - main - textproc/libxml2: backport upstream commits fixing CVEs
Date: Sun, 22 Jun 2025 08:13:39 UTC
On 2025-06-22 09:42, Herbert J. Skuhra wrote:
> On Sat, 21 Jun 2025 20:57:27 +0200, Charlie Li wrote:
>> The branch main has been updated by vishwin:
>>
>> URL:https://cgit.FreeBSD.org/ports/commit/?id=fb3e1d5f3dd216ef419a40570c1a97f1ee28a47f
>>
>> commit fb3e1d5f3dd216ef419a40570c1a97f1ee28a47f
>> Author: Charlie Li<vishwin@FreeBSD.org>
>> AuthorDate: 2025-06-21 18:55:14 +0000
>> Commit: Charlie Li<vishwin@FreeBSD.org>
>> CommitDate: 2025-06-21 18:55:14 +0000
>>
>> textproc/libxml2: backport upstream commits fixing CVEs
>>
>> [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd
>> [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
>> [CVE-2025-32414] python: Read at most len/4 characters.
>>
>> PR: 287391
>> ---
>> textproc/libxml2/Makefile | 7 ++++++-
>> textproc/libxml2/distinfo | 8 +++++++-
>> textproc/py-libxml2/Makefile | 2 +-
>> 3 files changed, 14 insertions(+), 3 deletions(-)
>>
>> diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
>> index 251af286f36d..67c3243418bf 100644
>> --- a/textproc/libxml2/Makefile
>> +++ b/textproc/libxml2/Makefile
>> @@ -1,10 +1,15 @@
>> PORTNAME= libxml2
>> DISTVERSION= 2.11.9
>> -PORTREVISION?= 0
>> +PORTREVISION?= 1
>> CATEGORIES?= textproc gnome
>> MASTER_SITES= GNOME
>> DIST_SUBDIR= gnome
>>
>> +PATCH_SITES= https://gitlab.gnome.org/GNOME/${PORTNAME}/-/commit/
>> +PATCHFILES+= 245b70d7d2768572ae1b05b3668ca858b9ec4ed4.patch:-p1 # CVE-2024-56171
>> +PATCHFILES+= 858ca26c0689161a6b903a6682cc8a1cc10a0ea8.patch:-p1 # CVE-2025-24928
>> +PATCHFILES+= d7657811964eac1cb9743bb98649278ad948f0d2.patch:-p1 # CVE-2025-32414
>> +
>> MAINTAINER= desktop@FreeBSD.org
>> COMMENT?= XML parser library for GNOME
>> WWW= http://xmlsoft.org/
>> diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo
>> index 4ea4340dc6f1..fc9a1ddad574 100644
>> --- a/textproc/libxml2/distinfo
>> +++ b/textproc/libxml2/distinfo
>> @@ -1,3 +1,9 @@
>> -TIMESTAMP = 1725749707
>> +TIMESTAMP = 1750532030
>> SHA256 (gnome/libxml2-2.11.9.tar.xz) = 780157a1efdb57188ec474dca87acaee67a3a839c2525b2214d318228451809f
>> SIZE (gnome/libxml2-2.11.9.tar.xz) = 2627500
>> +SHA256 (gnome/245b70d7d2768572ae1b05b3668ca858b9ec4ed4.patch) = 5fb5bed3c40fee5ecb60dbf96fd6c5071f08a54487f534540c54bc9cb6d5b16e
>> +SIZE (gnome/245b70d7d2768572ae1b05b3668ca858b9ec4ed4.patch) = 1273
>> +SHA256 (gnome/858ca26c0689161a6b903a6682cc8a1cc10a0ea8.patch) = e3585a9e59f3146a53a1091fd00378e81676a824feab037cd8d71807cea73c73
>> +SIZE (gnome/858ca26c0689161a6b903a6682cc8a1cc10a0ea8.patch) = 1806
>> +SHA256 (gnome/d7657811964eac1cb9743bb98649278ad948f0d2.patch) = 3d7e10866d8be511da64bee6a998c4f68785326bf0d403af7be6745830d9bca2
>> +SIZE (gnome/d7657811964eac1cb9743bb98649278ad948f0d2.patch) = 2526
>> diff --git a/textproc/py-libxml2/Makefile b/textproc/py-libxml2/Makefile
>> index 7633fdebb4a1..a9ff9bf0a9c7 100644
>> --- a/textproc/py-libxml2/Makefile
>> +++ b/textproc/py-libxml2/Makefile
>> @@ -1,4 +1,4 @@
>> -PORTREVISION= 2
>> +PORTREVISION= 3
>> CATEGORIES= textproc gnome python
>> PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
> Is there something wrong with security/vuxml/vuln/2025.xml?
>
> # pkg audit -F
> vulnxml file up-to-date
> libxml2-2.11.9_1 is vulnerable:
> libxml2 -- Out-of-bounds memory access
> CVE: CVE-2025-32414
> WWW:https://vuxml.FreeBSD.org/freebsd/2926c487-3e53-11f0-95d4-00a098b42aeb.html
>
> libxml2 -- Use After Free
> CVE: CVE-2024-56171
> WWW:https://vuxml.FreeBSD.org/freebsd/bd2af307-3e50-11f0-95d4-00a098b42aeb.html
>
> libxml2 -- Stack-based Buffer Overflow
> CVE: CVE-2025-24928
> WWW:https://vuxml.FreeBSD.org/freebsd/fdd02be0-3e50-11f0-95d4-00a098b42aeb.html
>
> 3 problem(s) in 1 package(s) found.
>
> $ ls -l /var/db/pkg/vuln.xml
> -r--r--r-- 1 root wheel 8690093 Jun 21 17:45 /var/db/pkg/vuln.xml
Hi,
It takes about 12-24h for VuXML entries to get update.
Best regards,
Daniel