diff options
| -rw-r--r-- | security/vuxml/vuln/2025.xml | 107 | ||||
| -rw-r--r-- | textproc/libxslt/Makefile | 3 | ||||
| -rw-r--r-- | textproc/minixmlto/Makefile | 3 | ||||
| -rw-r--r-- | textproc/xmlto/Makefile | 29 |
4 files changed, 130 insertions, 12 deletions
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index cbaccdd8f0ad..a37b43d29650 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,110 @@ + <vuln vid="b0a3466f-5efc-11f0-ae84-99047d0a6bcc"> + <topic>libxslt -- unmaintained, with multiple unfixed vulnerabilities</topic> + <affects> + <package> + <name>libxslt</name> + <range><lt>2</lt></range> <!-- adjust should libxslt ever be fixed --> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Alan Coopersmith reports:</p> + <blockquote cite="https://www.openwall.com/lists/oss-security/2025/07/11/2"> + <p>On 6/16/25 15:12, Alan Coopersmith wrote:</p> + <p><em> + BTW, users of libxml2 may also be using its sibling project, libxslt, + which currently has no active maintainer, but has three unfixed security issues + reported against it according to + <a href="https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt"> + https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</a> + </em></p> + <p>2 of the 3 have now been disclosed:</p> + <p>(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes<br /> + <a href="https://gitlab.gnome.org/GNOME/libxslt/-/issues/139">https://gitlab.gnome.org/GNOME/libxslt/-/issues/139</a> + <a href="https://project-zero.issues.chromium.org/issues/409761909">https://project-zero.issues.chromium.org/issues/409761909</a></p> + <p>(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption<br /> + <a href="https://gitlab.gnome.org/GNOME/libxslt/-/issues/140">https://gitlab.gnome.org/GNOME/libxslt/-/issues/140</a><br /><a href="https://project-zero.issues.chromium.org/issues/410569369">https://project-zero.issues.chromium.org/issues/410569369</a></p> + <p>Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, + but neither has had a fix applied to the git repo since there is currently no + maintainer for libxslt.</p> + </blockquote> + <p>Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see + <a href="https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt"> + https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</a> + </p> + </body> + </description> + <references> + <cvename>CVE-2025-7424</cvename> + <cvename>CVE-2025-7425</cvename> + <url>https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</url> + <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/139</url> + <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/140</url> + <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/144</url> + <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/148</url> + <url>https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988</url> + </references> + <dates> + <discovery>2025-04-10</discovery> + <entry>2025-07-12</entry> + </dates> + </vuln> + + <vuln vid="abbc8912-5efa-11f0-ae84-99047d0a6bcc"> + <topic>libxml2 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>libxml2</name> + <range><lt>3.0</lt></range> <!-- needs update once fixed version appears --> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Alan Coopersmith reports:</p> + <blockquote cite="https://www.openwall.com/lists/oss-security/2025/06/16/6"> + <p>As discussed in + <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/913">https://gitlab.gnome.org/GNOME/libxml2/-/issues/913</a> the + security policy of libxml2 has been changed to disclose vulnerabilities + before fixes are available so that people other than the maintainer can + contribute to fixing security issues in this library.</p> + <p>As part of this, the following 5 CVE's have been disclosed recently:</p> + <p>(CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS) + <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/931">https://gitlab.gnome.org/GNOME/libxml2/-/issues/931</a> [...]</p> + <p>(CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS) + <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/932">https://gitlab.gnome.org/GNOME/libxml2/-/issues/932</a> [...]</p> + <p>(CVE-2025-49796) Type confusion leads to Denial of service (DoS) + <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/933">https://gitlab.gnome.org/GNOME/libxml2/-/issues/933</a> [...]</p> + <p>For all three of the above, note that upstream is considering removing Schematron support completely, as discussed in + <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/935">https://gitlab.gnome.org/GNOME/libxml2/-/issues/935</a>.</p> + <p>(CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName() + <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/926">https://gitlab.gnome.org/GNOME/libxml2/-/issues/926</a> [...]</p> + <p>(CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell + <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/941">https://gitlab.gnome.org/GNOME/libxml2/-/issues/941</a> [...]</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-6021</cvename> + <cvename>CVE-2025-6170</cvename> + <cvename>CVE-2025-49794</cvename> + <cvename>CVE-2025-49795</cvename> + <cvename>CVE-2025-49795</cvename> + <url>https://www.openwall.com/lists/oss-security/2025/06/16/6</url> + <url>https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</url> + <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/913</url> + <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/931</url> + <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/932</url> + <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/933</url> + <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/935</url> + <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/926</url> + <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/941</url> + </references> + <dates> + <discovery>2025-05-27</discovery> + <entry>2025-07-12</entry> + </dates> + </vuln> + <vuln vid="61d74f80-5e9e-11f0-8baa-8447094a420f"> <topic>mod_http2 -- Multiple vulnerabilities</topic> <affects> diff --git a/textproc/libxslt/Makefile b/textproc/libxslt/Makefile index dcfd2041aefc..344606952e8f 100644 --- a/textproc/libxslt/Makefile +++ b/textproc/libxslt/Makefile @@ -12,6 +12,9 @@ WWW= https://gitlab.gnome.org/GNOME/libxslt/ LICENSE= MIT LICENSE_FILE= ${WRKSRC}/Copyright +DEPRECATED= unmaintained with multiple unfixed security vulnerabilities +EXPIRATION_DATE=2025-09-12 + # See note in textproc/libxml2 for why this port uses autotools USES= cpe gmake gnome libtool localbase:ldflags pathfix pkgconfig tar:xz CPE_VENDOR= xmlsoft diff --git a/textproc/minixmlto/Makefile b/textproc/minixmlto/Makefile index 0f7b3a058b33..351240e79858 100644 --- a/textproc/minixmlto/Makefile +++ b/textproc/minixmlto/Makefile @@ -9,6 +9,9 @@ WWW= https://github.com/bapt/minixmlto LICENSE= BSD2CLAUSE +DEPRECATED= Depends on vulnerable unmaintained libxslt +EXPIRATION_DATE=2025-09-12 + RUN_DEPENDS= docbook-xsl>0:textproc/docbook-xsl \ xsltproc:textproc/libxslt \ html2text:textproc/html2text \ diff --git a/textproc/xmlto/Makefile b/textproc/xmlto/Makefile index cd2e6c55d175..278d599474d7 100644 --- a/textproc/xmlto/Makefile +++ b/textproc/xmlto/Makefile @@ -17,6 +17,9 @@ WWW= https://pagure.io/xmlto/ LICENSE= GPLv2 +DEPRECATED= Depends on vulnerable unmaintained libxslt +EXPIRATION_DATE=2025-09-12 + BUILD_DEPENDS= ${BASH_CMD}:shells/bash \ ${GETOPT_CMD}:misc/getopt \ xmllint:textproc/libxml2 \ @@ -27,8 +30,19 @@ BUILD_DEPENDS= ${BASH_CMD}:shells/bash \ docbook-xml>0:textproc/docbook-xml RUN_DEPENDS:= ${BUILD_DEPENDS} +USES= tar:bzip2 +GNU_CONFIGURE= yes +GNU_CONFIGURE_MANPREFIX=${PREFIX}/share +CONFIGURE_ARGS= BASH=${BASH_CMD} GETOPT=${GETOPT_CMD} PDFXMLTEX=${PDFXMLTEX_CMD} +MAKE_ENV+= HOME=/dev/null + SUB_FILES= pkg-message +PORTDOCS= AUTHORS ChangeLog NEWS THANKS +# these documentation files do not convey information useful for +# the FreeBSD port at this time, or are provided by the ports framework: +# PORTDOCS+= COPYING FAQ README + OPTIONS_DEFINE= DOCS OPTIONS_GROUP= BACKEND OPTIONS_GROUP_BACKEND= DBLATEX FOP PASSIVETEX @@ -37,21 +51,12 @@ DBLATEX_DESC= Add dependency on DBlatex (DB for DocBook) FOP_DESC= Add dependency on FOP (requires Java) PASSIVETEX_DESC= Add dependency on XMLTeX/PassiveTeX -USES= tar:bzip2 -GNU_CONFIGURE= yes -GNU_CONFIGURE_MANPREFIX=${PREFIX}/share -CONFIGURE_ARGS= BASH=${BASH_CMD} GETOPT=${GETOPT_CMD} PDFXMLTEX=${PDFXMLTEX_CMD} -MAKE_ENV+= HOME=/dev/null - BASH_CMD= ${LOCALBASE}/bin/bash GETOPT_CMD= ${LOCALBASE}/bin/getopt -XSL_DIR= ${LOCALBASE}/share/xsl/docbook PDFXMLTEX_CMD= ${LOCALBASE}/bin/pdftex - -PORTDOCS= AUTHORS ChangeLog NEWS THANKS -# these documentation files do not convey information useful for -# the FreeBSD port at this time, or are provided by the ports framework: -# PORTDOCS+= COPYING FAQ README +.ifnmake portclippy +XSL_DIR= ${LOCALBASE}/share/xsl/docbook +.endif .include <bsd.port.pre.mk> |