[Bug 288859] devel/dbus: default MANPAGES pulls vulnerable textproc/libxslt and blocks builds

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288859

            Bug ID: 288859
           Summary: devel/dbus: default MANPAGES pulls vulnerable
                    textproc/libxslt and blocks builds
           Product: Ports & Packages
           Version: Latest
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: desktop@FreeBSD.org
          Reporter: rikka.goering@outlook.de
          Assignee: desktop@FreeBSD.org
             Flags: maintainer-feedback?(desktop@FreeBSD.org)

Created attachment 262950
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=262950&action=edit
Removes MANPAGES from OPTIONS_DEFAULT in devel/dbus Makefile

Environment:

    - FreeBSD: 14.3-RELEASE-p2 GENERIC (amd64) 

    - Ports tree: up to date as of 2025-08-12 

    - pkg: pkg -v -> 2.2.2

    - Building with portmaster (also reproducible with make -C
/usr/ports/devel/dbus install)



Description:
When building devel/dbus with its default options, MANPAGES is enabled and
pulls in textproc/libxslt. The libxslt port is deprecated with multiple unfixed
CVEs and is scheduled for removal, so the build halts on the vulnerability
check and dbus cannot be built. This propagates to consumers (e.g.,
sysutils/slurm-wlm), which then fail to build through the dependency chain.


Actual result (excerpt):
===>  Cleaning for libxslt-1.1.43_1
===>   NOTICE:
This port is deprecated; you may wish to reconsider installing it:
unmaintained with multiple unfixed security vulnerabilities.
It is scheduled to be removed on or after 2025-09-12.

===>  libxslt-1.1.43_1 has known vulnerabilities:
  CVE: CVE-2025-7425
  CVE: CVE-2025-7424
  WWW:
https://vuxml.FreeBSD.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html
...
*** Error code 1


Expected result:
devel/dbus builds successfully with default options (or avoids vulnerable
dependencies by default).


Steps to reproduce:

    1. Update ports tree (e.g., portsnap auto or git -C /usr/ports pull).

    2. cd /usr/ports/devel/dbus

    3. Ensure default options are in use (no local overrides).

    4. make install   (or trigger via a consumer like portmaster
sysutils/slurm-wlm)



Analysis / Rationale:

    - MANPAGES enables manpage generation, which depends on the doc toolchain
that includes textproc/libxslt.

    - With libxslt deprecated and vulnerable, builds fail unless users globally
unset DOCS/MANPAGES or bypass vulnerabilities (discouraged).

    - dbus runtime does not require manpages; disabling MANPAGES by default
mitigates this without affecting functionality.



Proposed fix:
The following git patch (which i also added to attachments) should fix the
issue, when applied, via removing MANPAGES from OPTIONS_DEFAULT:
diff --git a/devel/dbus/Makefile b/devel/dbus/Makefile
index 1ecf854e8588..8191479346e2 100644
--- a/devel/dbus/Makefile
+++ b/devel/dbus/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=      dbus
 DISTVERSION=   1.16.2
-PORTREVISION=  3
+PORTREVISION=  4
 PORTEPOCH=     1
 CATEGORIES=    devel gnome
 MASTER_SITES=  https://dbus.freedesktop.org/releases/dbus/
@@ -56,7 +56,7 @@ PLIST_SUB=    GROUPS=${GROUPS} \
 PORTEXAMPLES=  *

 OPTIONS_DEFINE=                EXAMPLES MANPAGES X11
-OPTIONS_DEFAULT=       MANPAGES X11
+OPTIONS_DEFAULT=       X11

 MANPAGES_BUILD_DEPENDS=                docbook-xsl>0:textproc/docbook-xsl
 MANPAGES_USES=                 gnome


Workarounds for users (until fixed):

    - make -C /usr/ports/devel/dbus config -> disable MANPAGES; or

    - set in /etc/make.conf: OPTIONS_UNSET+= MANPAGES DOCS; or

    - (not recommended) build with DISABLE_VULNERABILITIES=yes.


Additional notes:
I can run poudriere testport with this change if desired and attach logs. Happy
to submit the patch via a review as well.

-- 
You are receiving this mail because:
You are the assignee for the bug.