From nobody Sat Jul 12 09:13:45 2025 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bfNDV1Q3Xz61c5R; Sat, 12 Jul 2025 09:13:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bfNDV0Brvz3cgC; Sat, 12 Jul 2025 09:13:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752311626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0FjjllqkiDIxwOCZYT2i2/HeuJYzT12NN4XSMrjeyaI=; b=WFaMA1FYyoFz42BJCuzWybocQPQVQr3IfJrWhYreI1lWWb8J6kEmfPFdcJktQkxcVlAYXT YbY7eNinGFVX+9f/27PMrH/rCZkNHMV0xP4KIBG9VF6vKItdLHLkOzg4p8HUvNiC6dTNft EYg3zadoWo2gryvekil0d2gKP4wsY+QmbcK1n3GmhetOcCN6OXWhKOlyX6qq95AjXNQlLY t+Iv4Vwo17StZbkIKqNOuUte55HlZpNHzLMd+FhUJBgYPUPGPq4g72q1uqt0PawuzXTMqz dEu2Pz0ylnAHqL5W3zX8NxXJnRmtLt0GGG4otts+LWls6E5DA5qRMpicZTX67w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752311626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0FjjllqkiDIxwOCZYT2i2/HeuJYzT12NN4XSMrjeyaI=; b=LjIS/jdKLwAzUszwXR8ztAk+1rOEdu9mgd4FUGPEr/QdfSkEpYpxaVh82G6Jvrt9gkBxOw 59Qh8qOeTRLMoiS1uothF2MO4HMFAi8ctyux18mzcsrz5JFRgyC0yvSakJtWT/zdgjOZS3 0aJ61JtsISqdab7q9yzQFwfqT+aewIaAdheLHpJuO/UwmHxc3oO8rSC3OQkskf3ejwBIg9 Wvnt0Pecf6TpqmT4Jj4XF69Y65+rax6WFyz4iDssghpMnmoNERspsXXw/9g+okQRlaq/zh 9Wy1zJU+Jt862dQzker5dWWBewCABX2/pDL7ye+z8PMGGi27BZnkKHyVmdpG9g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752311626; a=rsa-sha256; cv=none; b=NlF01u83BADPJFyeRhS17ujyrDg64vlvsFk66mADmosuQKshJ4c9p95GNUqF22oZ/eGgvc 56Zbaxe4yGAPXHe+64wpm6yhaJjxwoa9BDw4Hr5e8OpWKvoFRNcIQ0ZPUD46vXS4eP+3Bi EEj94eVCMU8OJMyht8Q4sYJLGVHXkePAzXbsA2esF61/l7LFZpeaGjQwy7bUJg989LeJ9L sNmGffxTSOkU8skn85053HXRTqzBJNTA0m3HIttP5EKfdTOtblSgWT64ECoTL0k3c/vAB8 brUtT5rdWM/ehzS0Azbk/z2sOQ54NsgfuYHXZHnC1tCsSsypUXtRvKayCLxE1g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bfNDT6rzPz1sx; Sat, 12 Jul 2025 09:13:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56C9DjU4099535; Sat, 12 Jul 2025 09:13:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56C9DjQk099532; Sat, 12 Jul 2025 09:13:45 GMT (envelope-from git) Date: Sat, 12 Jul 2025 09:13:45 GMT Message-Id: <202507120913.56C9DjQk099532@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: dceb46fc8a6e - main - textproc/libxml2, textproc/libxslt: vulnerable List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: dceb46fc8a6eea281dbafc46e6452a9d82550b09 Auto-Submitted: auto-generated The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=dceb46fc8a6eea281dbafc46e6452a9d82550b09 commit dceb46fc8a6eea281dbafc46e6452a9d82550b09 Author: Matthias Andree AuthorDate: 2025-07-12 09:10:11 +0000 Commit: Matthias Andree CommitDate: 2025-07-12 09:13:36 +0000 textproc/libxml2, textproc/libxslt: vulnerable Note that libxslt is vulnerable, unfixed, and without maintainer. Two of four vulnerabilities have been fixed. Note that libxml2 in our ports is vulnerable and there is no upstream release fixing these bugs, they need cherry-picks. Deprecate textproc/xmlto and textproc/minixmlto, which both depend on the unmaintained and vulnerable libxslt. I have filed https://pagure.io/xmlto/issue/15 to ask the xmlto upstream to switch to different XML/XSLT libraries. Two issues are undisclosed and do not seem to have a CVE assigned yet. Security: CVE-2025-6021 Security: CVE-2025-6170 Security: CVE-2025-7424 Security: CVE-2025-7425 Security: CVE-2025-49794 Security: CVE-2025-49795 Security: CVE-2025-49795 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/935 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140 Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/144 Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/148 Security: https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt Security: https://www.openwall.com/lists/oss-security/2025/06/16/6 --- security/vuxml/vuln/2025.xml | 107 +++++++++++++++++++++++++++++++++++++++++++ textproc/libxslt/Makefile | 3 ++ textproc/minixmlto/Makefile | 3 ++ textproc/xmlto/Makefile | 29 +++++++----- 4 files changed, 130 insertions(+), 12 deletions(-) diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index cbaccdd8f0ad..a37b43d29650 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,110 @@ + + libxslt -- unmaintained, with multiple unfixed vulnerabilities + + + libxslt + 2 + + + + +

Alan Coopersmith reports:

+
+

On 6/16/25 15:12, Alan Coopersmith wrote:

+

+ BTW, users of libxml2 may also be using its sibling project, libxslt, + which currently has no active maintainer, but has three unfixed security issues + reported against it according to + + https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt +

+

2 of the 3 have now been disclosed:

+

(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes
+ https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 + https://project-zero.issues.chromium.org/issues/409761909

+

(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption
+ https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
https://project-zero.issues.chromium.org/issues/410569369

+

Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, + but neither has had a fix applied to the git repo since there is currently no + maintainer for libxslt.

+
+

Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see + + https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt +

+ + + + CVE-2025-7424 + CVE-2025-7425 + https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt + https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 + https://gitlab.gnome.org/GNOME/libxslt/-/issues/140 + https://gitlab.gnome.org/GNOME/libxslt/-/issues/144 + https://gitlab.gnome.org/GNOME/libxslt/-/issues/148 + https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988 + + + 2025-04-10 + 2025-07-12 + + + + + libxml2 -- multiple vulnerabilities + + + libxml2 + 3.0 + + + + +

Alan Coopersmith reports:

+
+

As discussed in + https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 the + security policy of libxml2 has been changed to disclose vulnerabilities + before fixes are available so that people other than the maintainer can + contribute to fixing security issues in this library.

+

As part of this, the following 5 CVE's have been disclosed recently:

+

(CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS) + https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 [...]

+

(CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS) + https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 [...]

+

(CVE-2025-49796) Type confusion leads to Denial of service (DoS) + https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 [...]

+

For all three of the above, note that upstream is considering removing Schematron support completely, as discussed in + https://gitlab.gnome.org/GNOME/libxml2/-/issues/935.

+

(CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName() + https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 [...]

+

(CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell + https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 [...]

+
+ + + + CVE-2025-6021 + CVE-2025-6170 + CVE-2025-49794 + CVE-2025-49795 + CVE-2025-49795 + https://www.openwall.com/lists/oss-security/2025/06/16/6 + https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt + https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 + https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 + https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 + https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 + https://gitlab.gnome.org/GNOME/libxml2/-/issues/935 + https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 + https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 + + + 2025-05-27 + 2025-07-12 + + + mod_http2 -- Multiple vulnerabilities diff --git a/textproc/libxslt/Makefile b/textproc/libxslt/Makefile index dcfd2041aefc..344606952e8f 100644 --- a/textproc/libxslt/Makefile +++ b/textproc/libxslt/Makefile @@ -12,6 +12,9 @@ WWW= https://gitlab.gnome.org/GNOME/libxslt/ LICENSE= MIT LICENSE_FILE= ${WRKSRC}/Copyright +DEPRECATED= unmaintained with multiple unfixed security vulnerabilities +EXPIRATION_DATE=2025-09-12 + # See note in textproc/libxml2 for why this port uses autotools USES= cpe gmake gnome libtool localbase:ldflags pathfix pkgconfig tar:xz CPE_VENDOR= xmlsoft diff --git a/textproc/minixmlto/Makefile b/textproc/minixmlto/Makefile index 0f7b3a058b33..351240e79858 100644 --- a/textproc/minixmlto/Makefile +++ b/textproc/minixmlto/Makefile @@ -9,6 +9,9 @@ WWW= https://github.com/bapt/minixmlto LICENSE= BSD2CLAUSE +DEPRECATED= Depends on vulnerable unmaintained libxslt +EXPIRATION_DATE=2025-09-12 + RUN_DEPENDS= docbook-xsl>0:textproc/docbook-xsl \ xsltproc:textproc/libxslt \ html2text:textproc/html2text \ diff --git a/textproc/xmlto/Makefile b/textproc/xmlto/Makefile index cd2e6c55d175..278d599474d7 100644 --- a/textproc/xmlto/Makefile +++ b/textproc/xmlto/Makefile @@ -17,6 +17,9 @@ WWW= https://pagure.io/xmlto/ LICENSE= GPLv2 +DEPRECATED= Depends on vulnerable unmaintained libxslt +EXPIRATION_DATE=2025-09-12 + BUILD_DEPENDS= ${BASH_CMD}:shells/bash \ ${GETOPT_CMD}:misc/getopt \ xmllint:textproc/libxml2 \ @@ -27,8 +30,19 @@ BUILD_DEPENDS= ${BASH_CMD}:shells/bash \ docbook-xml>0:textproc/docbook-xml RUN_DEPENDS:= ${BUILD_DEPENDS} +USES= tar:bzip2 +GNU_CONFIGURE= yes +GNU_CONFIGURE_MANPREFIX=${PREFIX}/share +CONFIGURE_ARGS= BASH=${BASH_CMD} GETOPT=${GETOPT_CMD} PDFXMLTEX=${PDFXMLTEX_CMD} +MAKE_ENV+= HOME=/dev/null + SUB_FILES= pkg-message +PORTDOCS= AUTHORS ChangeLog NEWS THANKS +# these documentation files do not convey information useful for +# the FreeBSD port at this time, or are provided by the ports framework: +# PORTDOCS+= COPYING FAQ README + OPTIONS_DEFINE= DOCS OPTIONS_GROUP= BACKEND OPTIONS_GROUP_BACKEND= DBLATEX FOP PASSIVETEX @@ -37,21 +51,12 @@ DBLATEX_DESC= Add dependency on DBlatex (DB for DocBook) FOP_DESC= Add dependency on FOP (requires Java) PASSIVETEX_DESC= Add dependency on XMLTeX/PassiveTeX -USES= tar:bzip2 -GNU_CONFIGURE= yes -GNU_CONFIGURE_MANPREFIX=${PREFIX}/share -CONFIGURE_ARGS= BASH=${BASH_CMD} GETOPT=${GETOPT_CMD} PDFXMLTEX=${PDFXMLTEX_CMD} -MAKE_ENV+= HOME=/dev/null - BASH_CMD= ${LOCALBASE}/bin/bash GETOPT_CMD= ${LOCALBASE}/bin/getopt -XSL_DIR= ${LOCALBASE}/share/xsl/docbook PDFXMLTEX_CMD= ${LOCALBASE}/bin/pdftex - -PORTDOCS= AUTHORS ChangeLog NEWS THANKS -# these documentation files do not convey information useful for -# the FreeBSD port at this time, or are provided by the ports framework: -# PORTDOCS+= COPYING FAQ README +.ifnmake portclippy +XSL_DIR= ${LOCALBASE}/share/xsl/docbook +.endif .include