Date: Fri, 26 Sep 2008 16:36:31 GMT From: bf <bf2006a@yahoo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/127661: [PATCH]textproc/libxml2: update to 2.7.1, which includes security fixes Message-ID: <200809261636.m8QGaVFS035825@www.freebsd.org> Resent-Message-ID: <200809261640.m8QGe3fr049330@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127661 >Category: ports >Synopsis: [PATCH]textproc/libxml2: update to 2.7.1, which includes security fixes >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Fri Sep 26 16:40:03 UTC 2008 >Closed-Date: >Last-Modified: >Originator: bf >Release: 7-STABLE i386 >Organization: - >Environment: >Description: I hesitated to suggest a change to this port during slush, because it has a number of important dependencies, but I think that it would be better to address the security problems with the current version sooner rather than later. I didn't see an update to this port in the marcuscom repository ports module, although one person did make a reference to one of the security problems in a post to the freebsd-gnome mailing list. There are two options to deal with the security problems: either stick with 2.6.32 and patch it; or update to 2.7.1. Since I'm guessing that we'll eventually be moving to the newer version, I chose the latter. Besides, 2.7.1 has some other improvements: in addition to fixes for CVE-2008-3281 and CVE-2008-3529, it also fixes other bugs, and attempts to prevent more of the kinds of attacks described in CVE-2003-1564 than does 2.6.32. This didn't cause any problems in the dependent ports that I have installed on 7-STABLE i386. It also passed most of the bundled regression tests. In a cursory check of some related mailing lists, I found some mention of problems that 2.7.0 caused with a few other pieces of software that had abused the libxml2 API, but these seem to have been addressed in 2.7.1, and in the other software. Also, 2.7.1 seems to have been incorporated in Red Hat's package system and NetBSD pkgsrc, so it seems okay to stick it in. If these changes, are accepted, py-libxml2 will also need a small patch, which I will send in a subsequent message. For an overview of changes, see: http://xmlsoft.org/news.html >How-To-Repeat: >Fix: Patch attached with submission follows: diff -ruN libxml2.orig/Makefile libxml2/Makefile --- libxml2.orig/Makefile 2008-09-21 02:17:35.033361776 -0400 +++ libxml2/Makefile 2008-09-21 04:03:28.421022218 -0400 @@ -12,7 +12,7 @@ # PORTNAME= libxml2 -PORTVERSION= 2.6.32 +PORTVERSION= 2.7.1 PORTREVISION?= 0 CATEGORIES?= textproc gnome MASTER_SITES= ftp://fr.rpmfind.net/pub/libxml/ \ @@ -65,6 +65,9 @@ .endif post-patch: + @${REINPLACE_CMD} -e 's|%%FREEBSD_LIBXML_VERSION_INFO%%|5:1:0|' \ + ${WRKSRC}/Makefile.in + .for d in . doc doc/devhelp doc/examples @${REINPLACE_CMD} -e '/^install-data-am:/ s|install-data-local||' \ ${WRKSRC}/${d}/Makefile.in diff -ruN libxml2.orig/distinfo libxml2/distinfo --- libxml2.orig/distinfo 2008-09-21 02:17:35.033361776 -0400 +++ libxml2/distinfo 2008-09-21 04:03:28.421022218 -0400 @@ -1,3 +1,3 @@ -MD5 (gnome2/libxml2-2.6.32.tar.gz) = 2621d322c16f0257e30f0ff2b13384de -SHA256 (gnome2/libxml2-2.6.32.tar.gz) = 1b4428b879afcaae3c2013b21283baad040661fbd502e893e83adc3d15c85d53 -SIZE (gnome2/libxml2-2.6.32.tar.gz) = 4722227 +MD5 (gnome2/libxml2-2.7.1.tar.gz) = abc093e9ac7ea1aabf37982ae9df6d6c +SHA256 (gnome2/libxml2-2.7.1.tar.gz) = 636d3f2c08ff69dd96182d49a3c75027d1bfe8e645e5a1d075a51fc9a9065bd9 +SIZE (gnome2/libxml2-2.7.1.tar.gz) = 4769568 diff -ruN libxml2.orig/files/patch-aa libxml2/files/patch-aa --- libxml2.orig/files/patch-aa 2008-09-21 02:17:34.993361999 -0400 +++ libxml2/files/patch-aa 2008-09-21 04:03:28.421022218 -0400 @@ -1,31 +1,24 @@ ---- Makefile.in.orig 2008-01-22 15:47:56.000000000 -0500 -+++ Makefile.in 2008-01-22 15:49:21.000000000 -0500 -@@ -486,13 +486,13 @@ sysconfdir = @sysconfdir@ - target_alias = @target_alias@ - top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ --SUBDIRS = include . doc example xstc @PYTHON_SUBDIR@ -+SUBDIRS = include . doc example xstc @WITH_PYTHON_TRUE@ @PYTHON_SUBDIR@ - DIST_SUBDIRS = include . doc example python xstc - INCLUDES = -I$(top_builddir)/include -I@srcdir@/include @THREAD_CFLAGS@ @Z_CFLAGS@ +--- Makefile.in.orig 2008-09-21 02:30:27.355231455 -0400 ++++ Makefile.in 2008-09-21 03:31:02.901115638 -0400 +@@ -519,7 +519,7 @@ bin_SCRIPTS = xml2-config lib_LTLIBRARIES = libxml2.la libxml2_la_LIBADD = @THREAD_LIBS@ @Z_LIBS@ $(ICONV_LIBS) @M_LIBS@ @WIN32_EXTRA_LIBADD@ -libxml2_la_LDFLAGS = @CYGWIN_EXTRA_LDFLAGS@ @WIN32_EXTRA_LDFLAGS@ -version-info @LIBXML_VERSION_INFO@ @MODULE_PLATFORM_LIBS@ -+libxml2_la_LDFLAGS = @CYGWIN_EXTRA_LDFLAGS@ @WIN32_EXTRA_LDFLAGS@ -version-info 5:0:0 @MODULE_PLATFORM_LIBS@ ++libxml2_la_LDFLAGS = @CYGWIN_EXTRA_LDFLAGS@ @WIN32_EXTRA_LDFLAGS@ -version-info %%FREEBSD_LIBXML_VERSION_INFO%% @MODULE_PLATFORM_LIBS@ @WITH_TRIO_SOURCES_FALSE@libxml2_la_SOURCES = SAX.c entities.c encoding.c error.c parserInternals.c \ @WITH_TRIO_SOURCES_FALSE@ parser.c tree.c hash.c list.c xmlIO.c xmlmemory.c uri.c \ @WITH_TRIO_SOURCES_FALSE@ valid.c xlink.c HTMLparser.c HTMLtree.c debugXML.c xpath.c \ -@@ -590,7 +590,7 @@ testapi_LDFLAGS = - testapi_DEPENDENCIES = $(DEPS) - testapi_LDADD = $(LDADDS) - CLEANFILES = xml2Conf.sh +@@ -633,7 +633,7 @@ + runxmlconf_DEPENDENCIES = $(DEPS) + runxmlconf_LDADD = $(LDADDS) + CLEANFILES = xml2Conf.sh *.gcda *.gcno -confexecdir = $(libdir) +confexecdir = $(sysconfdir) confexec_DATA = xml2Conf.sh CVS_EXTRA_DIST = EXTRA_DIST = xml2-config.in xml2Conf.sh.in libxml.spec.in libxml2.spec \ -@@ -613,8 +613,8 @@ pkgconfig_DATA = libxml-2.0.pc +@@ -656,8 +656,8 @@ # Install the tests program sources as examples # BASE_DIR = $(datadir)/doc @@ -33,12 +26,12 @@ -EXAMPLES_DIR = $(BASE_DIR)/$(DOC_MODULE)/examples +DOC_MODULE = libxml2 +EXAMPLES_DIR = $(datadir)/examples/libxml2 - all: config.h - $(MAKE) $(AM_MAKEFLAGS) all-recursive -@@ -1344,7 +1344,7 @@ distcleancheck: distclean + # + # Coverage support, largely borrowed from libvirt +@@ -1414,7 +1414,7 @@ + exit 1; } >&2 check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local check: check-recursive -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) $(MANS) $(DATA) \ +all-am: Makefile $(LTLIBRARIES) $(SCRIPTS) $(MANS) $(DATA) \ >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809261636.m8QGaVFS035825>