maintainer-feedback requested: [Bug 288859] devel/dbus: default MANPAGES pulls vulnerable textproc/libxslt and blocks builds

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 288859] devel/dbus: default MANPAGES pulls vulnerable textproc/libxslt and blocks builds"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 13 Aug 2025 23:50:01 UTC

Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-desktop (Team)
<desktop@FreeBSD.org> for maintainer-feedback:
Bug 288859: devel/dbus: default MANPAGES pulls vulnerable textproc/libxslt and
blocks builds
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288859



--- Description ---
Environment:

    - FreeBSD: 14.3-RELEASE-p2 GENERIC (amd64) 

    - Ports tree: up to date as of 2025-08-12 

    - pkg: pkg -v -> 2.2.2

    - Building with portmaster (also reproducible with make -C
/usr/ports/devel/dbus install)



Description:
When building devel/dbus with its default options, MANPAGES is enabled and
pulls in textproc/libxslt. The libxslt port is deprecated with multiple unfixed
CVEs and is scheduled for removal, so the build halts on the vulnerability
check and dbus cannot be built. This propagates to consumers (e.g.,
sysutils/slurm-wlm), which then fail to build through the dependency chain.


Actual result (excerpt):
===>  Cleaning for libxslt-1.1.43_1
===>   NOTICE:
This port is deprecated; you may wish to reconsider installing it:
unmaintained with multiple unfixed security vulnerabilities.
It is scheduled to be removed on or after 2025-09-12.

===>  libxslt-1.1.43_1 has known vulnerabilities:
  CVE: CVE-2025-7425
  CVE: CVE-2025-7424
  WWW:
https://vuxml.FreeBSD.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html
...
*** Error code 1


Expected result:
devel/dbus builds successfully with default options (or avoids vulnerable
dependencies by default).


Steps to reproduce:

    1. Update ports tree (e.g., portsnap auto or git -C /usr/ports pull).

    2. cd /usr/ports/devel/dbus

    3. Ensure default options are in use (no local overrides).

    4. make install   (or trigger via a consumer like portmaster
sysutils/slurm-wlm)



Analysis / Rationale:

    - MANPAGES enables manpage generation, which depends on the doc toolchain
that includes textproc/libxslt.

    - With libxslt deprecated and vulnerable, builds fail unless users globally
unset DOCS/MANPAGES or bypass vulnerabilities (discouraged).

    - dbus runtime does not require manpages; disabling MANPAGES by default
mitigates this without affecting functionality.



Proposed fix:
The following git patch (which i also added to attachments) should fix the
issue, when applied, via removing MANPAGES from OPTIONS_DEFAULT:
diff --git a/devel/dbus/Makefile b/devel/dbus/Makefile
index 1ecf854e8588..8191479346e2 100644
--- a/devel/dbus/Makefile
+++ b/devel/dbus/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	dbus
 DISTVERSION=	1.16.2
-PORTREVISION=	3
+PORTREVISION=	4
 PORTEPOCH=	1
 CATEGORIES=	devel gnome
 MASTER_SITES=	https://dbus.freedesktop.org/releases/dbus/
@@ -56,7 +56,7 @@ PLIST_SUB=	GROUPS=${GROUPS} \
 PORTEXAMPLES=	*

 OPTIONS_DEFINE=		EXAMPLES MANPAGES X11
-OPTIONS_DEFAULT=	MANPAGES X11
+OPTIONS_DEFAULT=	X11

 MANPAGES_BUILD_DEPENDS=		docbook-xsl>0:textproc/docbook-xsl
 MANPAGES_USES= 		gnome


Workarounds for users (until fixed):

    - make -C /usr/ports/devel/dbus config -> disable MANPAGES; or

    - set in /etc/make.conf: OPTIONS_UNSET+= MANPAGES DOCS; or

    - (not recommended) build with DISABLE_VULNERABILITIES=yes.


Additional notes:
I can run poudriere testport with this change if desired and attach logs. Happy
to submit the patch via a review as well.