textproc/libxml2, textproc/libxslt: vulnerable

Note that libxslt is vulnerable, unfixed, and without maintainer. Two of four vulnerabilities have been fixed. Note that libxml2 in our ports is vulnerable and there is no upstream release fixing these bugs, they need cherry-picks. Deprecate textproc/xmlto and textproc/minixmlto, which both depend on the unmaintained and vulnerable libxslt. I have filed https://pagure.io/xmlto/issue/15 to ask the xmlto upstream to switch to different XML/XSLT libraries. Two issues are undisclosed and do not seem to have a CVE assigned yet. Security: CVE-2025-6021 Security: CVE-2025-6170 Security: CVE-2025-7424 Security: CVE-2025-7425 Security: CVE-2025-49794 Security: CVE-2025-49795 Security: CVE-2025-49795 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/935 Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140 Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/144 Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/148 Security: https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt Security: https://www.openwall.com/lists/oss-security/2025/06/16/6
author: Matthias Andree <mandree@FreeBSD.org> 2025-07-12 11:10:11 +0200
committer: Matthias Andree <mandree@FreeBSD.org> 2025-07-12 11:13:36 +0200
commit: dceb46fc8a6eea281dbafc46e6452a9d82550b09 (patch)
tree: f231d078f57f02b045cf3053c7f92a4ad53b70f4
parent: net/usockets: Enable riscv64 build (diff)
4 files changed, 130 insertions, 12 deletions
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index cbaccdd8f0ad..a37b43d29650 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,110 @@
+  <vuln vid="b0a3466f-5efc-11f0-ae84-99047d0a6bcc">
+    <topic>libxslt -- unmaintained, with multiple unfixed vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>libxslt</name>
+	<range><lt>2</lt></range> <!-- adjust should libxslt ever be fixed -->
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Alan Coopersmith reports:</p>
+	<blockquote cite="https://www.openwall.com/lists/oss-security/2025/07/11/2">
+	  <p>On 6/16/25 15:12, Alan Coopersmith wrote:</p>
+	  <p><em>
+	    BTW, users of libxml2 may also be using its sibling project, libxslt,
+	    which currently has no active maintainer, but has three unfixed security issues
+	    reported against it according to
+	    <a href="https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt">
+		https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</a>
+	  </em></p>
+	  <p>2 of the 3 have now been disclosed:</p>
+	  <p>(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes<br />
+	    <a href="https://gitlab.gnome.org/GNOME/libxslt/-/issues/139">https://gitlab.gnome.org/GNOME/libxslt/-/issues/139</a>
+	    <a href="https://project-zero.issues.chromium.org/issues/409761909">https://project-zero.issues.chromium.org/issues/409761909</a></p>
+	  <p>(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption<br />
+	    <a href="https://gitlab.gnome.org/GNOME/libxslt/-/issues/140">https://gitlab.gnome.org/GNOME/libxslt/-/issues/140</a><br /><a href="https://project-zero.issues.chromium.org/issues/410569369">https://project-zero.issues.chromium.org/issues/410569369</a></p>
+	  <p>Engineers from Apple &amp; Google have proposed patches in the GNOME gitlab issues,
+	  but neither has had a fix applied to the git repo since there is currently no
+	    maintainer for libxslt.</p>
+	</blockquote>
+	<p>Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see
+	  <a href="https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt">
+	    https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</a>
+	</p>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-7424</cvename>
+      <cvename>CVE-2025-7425</cvename>
+      <url>https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/139</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/140</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/144</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/148</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988</url>
+    </references>
+    <dates>
+      <discovery>2025-04-10</discovery>
+      <entry>2025-07-12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="abbc8912-5efa-11f0-ae84-99047d0a6bcc">
+    <topic>libxml2 -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>libxml2</name>
+	<range><lt>3.0</lt></range> <!-- needs update once fixed version appears -->
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Alan Coopersmith reports:</p>
+	<blockquote cite="https://www.openwall.com/lists/oss-security/2025/06/16/6">
+	  <p>As discussed in
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/913">https://gitlab.gnome.org/GNOME/libxml2/-/issues/913</a> the
+	  security policy of libxml2 has been changed to disclose vulnerabilities
+	  before fixes are available so that people other than the maintainer can
+	    contribute to fixing security issues in this library.</p>
+	  <p>As part of this, the following 5 CVE's have been disclosed recently:</p>
+	  <p>(CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS)
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/931">https://gitlab.gnome.org/GNOME/libxml2/-/issues/931</a> [...]</p>
+	  <p>(CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS)
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/932">https://gitlab.gnome.org/GNOME/libxml2/-/issues/932</a> [...]</p>
+	  <p>(CVE-2025-49796) Type confusion leads to Denial of service (DoS)
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/933">https://gitlab.gnome.org/GNOME/libxml2/-/issues/933</a> [...]</p>
+	  <p>For all three of the above, note that upstream is considering removing Schematron support completely, as discussed in
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/935">https://gitlab.gnome.org/GNOME/libxml2/-/issues/935</a>.</p>
+	  <p>(CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName()
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/926">https://gitlab.gnome.org/GNOME/libxml2/-/issues/926</a> [...]</p>
+	  <p>(CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/941">https://gitlab.gnome.org/GNOME/libxml2/-/issues/941</a> [...]</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-6021</cvename>
+      <cvename>CVE-2025-6170</cvename>
+      <cvename>CVE-2025-49794</cvename>
+      <cvename>CVE-2025-49795</cvename>
+      <cvename>CVE-2025-49795</cvename>
+      <url>https://www.openwall.com/lists/oss-security/2025/06/16/6</url>
+      <url>https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/913</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/931</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/932</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/933</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/935</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/926</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/941</url>
+    </references>
+    <dates>
+      <discovery>2025-05-27</discovery>
+      <entry>2025-07-12</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="61d74f80-5e9e-11f0-8baa-8447094a420f">
     <topic>mod_http2 -- Multiple vulnerabilities</topic>
     <affects>
diff --git a/textproc/libxslt/Makefile b/textproc/libxslt/Makefile
index dcfd2041aefc..344606952e8f 100644
--- a/textproc/libxslt/Makefile
+++ b/textproc/libxslt/Makefile
@@ -12,6 +12,9 @@ WWW=		https://gitlab.gnome.org/GNOME/libxslt/
 LICENSE=	MIT
 LICENSE_FILE=	${WRKSRC}/Copyright
 
+DEPRECATED=	unmaintained with multiple unfixed security vulnerabilities
+EXPIRATION_DATE=2025-09-12
+
 # See note in textproc/libxml2 for why this port uses autotools
 USES=		cpe gmake gnome libtool localbase:ldflags pathfix pkgconfig tar:xz
 CPE_VENDOR=	xmlsoft
diff --git a/textproc/minixmlto/Makefile b/textproc/minixmlto/Makefile
index 0f7b3a058b33..351240e79858 100644
--- a/textproc/minixmlto/Makefile
+++ b/textproc/minixmlto/Makefile
@@ -9,6 +9,9 @@ WWW=		https://github.com/bapt/minixmlto
 
 LICENSE=	BSD2CLAUSE
 
+DEPRECATED=     Depends on vulnerable unmaintained libxslt
+EXPIRATION_DATE=2025-09-12
+
 RUN_DEPENDS=	docbook-xsl>0:textproc/docbook-xsl \
 		xsltproc:textproc/libxslt \
 		html2text:textproc/html2text \
diff --git a/textproc/xmlto/Makefile b/textproc/xmlto/Makefile
index cd2e6c55d175..278d599474d7 100644
--- a/textproc/xmlto/Makefile
+++ b/textproc/xmlto/Makefile
@@ -17,6 +17,9 @@ WWW=		https://pagure.io/xmlto/
 
 LICENSE=	GPLv2
 
+DEPRECATED=	Depends on vulnerable unmaintained libxslt
+EXPIRATION_DATE=2025-09-12
+
 BUILD_DEPENDS=	${BASH_CMD}:shells/bash \
 		${GETOPT_CMD}:misc/getopt \
 		xmllint:textproc/libxml2 \
@@ -27,8 +30,19 @@ BUILD_DEPENDS=	${BASH_CMD}:shells/bash \
 		docbook-xml>0:textproc/docbook-xml
 RUN_DEPENDS:=	${BUILD_DEPENDS}
 
+USES=		tar:bzip2
+GNU_CONFIGURE=	yes
+GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
+CONFIGURE_ARGS=	BASH=${BASH_CMD} GETOPT=${GETOPT_CMD} PDFXMLTEX=${PDFXMLTEX_CMD}
+MAKE_ENV+=	HOME=/dev/null
+
 SUB_FILES=	pkg-message
 
+PORTDOCS=	AUTHORS ChangeLog NEWS THANKS
+# these documentation files do not convey information useful for
+# the FreeBSD port at this time, or are provided by the ports framework:
+# PORTDOCS+=	COPYING FAQ README
+
 OPTIONS_DEFINE=	DOCS
 OPTIONS_GROUP=		BACKEND
 OPTIONS_GROUP_BACKEND=		DBLATEX FOP PASSIVETEX
@@ -37,21 +51,12 @@ DBLATEX_DESC=		Add dependency on DBlatex (DB for DocBook)
 FOP_DESC=		Add dependency on FOP (requires Java)
 PASSIVETEX_DESC=	Add dependency on XMLTeX/PassiveTeX
 
-USES=		tar:bzip2
-GNU_CONFIGURE=	yes
-GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
-CONFIGURE_ARGS=	BASH=${BASH_CMD} GETOPT=${GETOPT_CMD} PDFXMLTEX=${PDFXMLTEX_CMD}
-MAKE_ENV+=	HOME=/dev/null
-
 BASH_CMD=	${LOCALBASE}/bin/bash
 GETOPT_CMD=	${LOCALBASE}/bin/getopt
-XSL_DIR=	${LOCALBASE}/share/xsl/docbook
 PDFXMLTEX_CMD=	${LOCALBASE}/bin/pdftex
-
-PORTDOCS=	AUTHORS ChangeLog NEWS THANKS
-# these documentation files do not convey information useful for
-# the FreeBSD port at this time, or are provided by the ports framework:
-# PORTDOCS+=	COPYING FAQ README
+.ifnmake portclippy
+XSL_DIR=	${LOCALBASE}/share/xsl/docbook
+.endif
 
 .include <bsd.port.pre.mk>
author	Matthias Andree <mandree@FreeBSD.org>	2025-07-12 11:10:11 +0200
committer	Matthias Andree <mandree@FreeBSD.org>	2025-07-12 11:13:36 +0200
commit	dceb46fc8a6eea281dbafc46e6452a9d82550b09 (patch)
tree	f231d078f57f02b045cf3053c7f92a4ad53b70f4
parent	net/usockets: Enable riscv64 build (diff)