diff options
Diffstat (limited to 'security')
31 files changed, 318 insertions, 49 deletions
diff --git a/security/boringssl/Makefile b/security/boringssl/Makefile index b427ea2ca43b..6605e0b5f37c 100644 --- a/security/boringssl/Makefile +++ b/security/boringssl/Makefile @@ -1,5 +1,5 @@ PORTNAME= boringssl -PORTVERSION= 0.0.0.0.2025.05.07.01 +PORTVERSION= 0.0.0.0.2025.05.13.01 CATEGORIES= security EXTRACT_ONLY= ${GH_ACCOUNT}-${PORTNAME}-${PORTVERSION}-${GH_TAGNAME}_GH0.tar.gz @@ -19,7 +19,7 @@ CPE_VENDOR= google USE_GITHUB= yes GH_ACCOUNT= google -GH_TAGNAME= 864a235 +GH_TAGNAME= 8997380 CMAKE_ARGS+= -DBUILD_SHARED_LIBS=1 CFLAGS_i386= -msse2 diff --git a/security/boringssl/distinfo b/security/boringssl/distinfo index 6e865c3421a2..170d821b0d5f 100644 --- a/security/boringssl/distinfo +++ b/security/boringssl/distinfo @@ -1,4 +1,4 @@ -TIMESTAMP = 1746707749 +TIMESTAMP = 1747212570 SHA256 (filippo.io/edwards25519/@v/v1.1.0.zip) = 9ac43a686d06fdebd719f7af3866c87eb069302272dfb131007adf471c308b65 SIZE (filippo.io/edwards25519/@v/v1.1.0.zip) = 55809 SHA256 (filippo.io/edwards25519/@v/v1.1.0.mod) = 099556fc4d7e6f5cb135efdd8b6bb4c0932e38ea058c53fc5fa5ce285572fb61 @@ -11,5 +11,5 @@ SHA256 (golang.org/x/sys/@v/v0.32.0.zip) = 85d47075d21fd7ef35d9a47fc73f2356fb3cd SIZE (golang.org/x/sys/@v/v0.32.0.zip) = 1991164 SHA256 (golang.org/x/sys/@v/v0.32.0.mod) = f67e3e18f4c08e60a7e80726ab36b691fdcea5b81ae1c696ff64caf518bcfe3d SIZE (golang.org/x/sys/@v/v0.32.0.mod) = 35 -SHA256 (google-boringssl-0.0.0.0.2025.05.07.01-864a235_GH0.tar.gz) = 5d35ccedd5ce74a11523ad4f08c1edb589697d22b11b644edae65f3592351f98 -SIZE (google-boringssl-0.0.0.0.2025.05.07.01-864a235_GH0.tar.gz) = 46144754 +SHA256 (google-boringssl-0.0.0.0.2025.05.13.01-8997380_GH0.tar.gz) = c385bc4309ecc58e04cf701d2e95a3dbc9c74e12cb3e5b9417b3df6cb2de790f +SIZE (google-boringssl-0.0.0.0.2025.05.13.01-8997380_GH0.tar.gz) = 46142079 diff --git a/security/fakeroot/Makefile b/security/fakeroot/Makefile index f8a9e8bc2dc7..8fe1685435e6 100644 --- a/security/fakeroot/Makefile +++ b/security/fakeroot/Makefile @@ -1,5 +1,5 @@ PORTNAME= fakeroot -PORTVERSION= 1.37.1.1 +PORTVERSION= 1.37.1.2 CATEGORIES= security MASTER_SITES= DEBIAN DISTNAME= ${PORTNAME}_${PORTVERSION}.orig diff --git a/security/fakeroot/distinfo b/security/fakeroot/distinfo index 28735cbb6158..a938ca8fcddc 100644 --- a/security/fakeroot/distinfo +++ b/security/fakeroot/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1744921082 -SHA256 (fakeroot_1.37.1.1.orig.tar.gz) = 86b0b75bf319ca42e525c098675b6ed10a06b76e69ec9ccf20ef5e03883b3a14 -SIZE (fakeroot_1.37.1.1.orig.tar.gz) = 595265 +TIMESTAMP = 1747131024 +SHA256 (fakeroot_1.37.1.2.orig.tar.gz) = 959496928c8a676ec8377f665ff6a19a707bfad693325f9cc4a4126642f53224 +SIZE (fakeroot_1.37.1.2.orig.tar.gz) = 594008 diff --git a/security/fizz/Makefile b/security/fizz/Makefile index 8bf1cfeab4b0..69356dd3585d 100644 --- a/security/fizz/Makefile +++ b/security/fizz/Makefile @@ -1,6 +1,6 @@ PORTNAME= fizz DISTVERSIONPREFIX= v -DISTVERSION= 2025.05.05.00 +DISTVERSION= 2025.05.12.00 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/fizz/distinfo b/security/fizz/distinfo index a96749dd9f1f..b92c50f7c07e 100644 --- a/security/fizz/distinfo +++ b/security/fizz/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1746504537 -SHA256 (facebookincubator-fizz-v2025.05.05.00_GH0.tar.gz) = 424c8bfb229ff3e46ab878cb7fb91b79ce785f9b61d85d4dc0eb5a0cd370cda6 -SIZE (facebookincubator-fizz-v2025.05.05.00_GH0.tar.gz) = 754049 +TIMESTAMP = 1747102733 +SHA256 (facebookincubator-fizz-v2025.05.12.00_GH0.tar.gz) = d3608b4595fff4e0d59585b1b12bead6f6ce4bf2d3bee41fb084f7128a28e4b2 +SIZE (facebookincubator-fizz-v2025.05.12.00_GH0.tar.gz) = 754096 diff --git a/security/libp11/Makefile b/security/libp11/Makefile index 1ac2909bf055..7575e9c2ed49 100644 --- a/security/libp11/Makefile +++ b/security/libp11/Makefile @@ -1,5 +1,5 @@ PORTNAME= libp11 -PORTVERSION= 0.4.13 +PORTVERSION= 0.4.14 DISTVERSIONPREFIX= ${PORTNAME}- CATEGORIES= security devel @@ -35,7 +35,9 @@ CONFIGURE_ENV= LTLIB_CFLAGS="-I${LOCALBASE}/include" \ OPENSSL_CFLAGS="-I${OPENSSLINC}" \ OPENSSL_LIBS="-L${OPENSSLLIB} -lssl -lcrypto" -CONFIGURE_ARGS= --with-enginesdir=${PREFIX}/lib/engines +CONFIGURE_ARGS= --with-enginesdir=${PREFIX}/lib/engines \ + --with-modulesdir=${PREFIX}/lib/ossl-modules \ + --enable-static-engine INSTALL_TARGET= install-strip diff --git a/security/libp11/distinfo b/security/libp11/distinfo index def41ebc82a5..15ac552b5724 100644 --- a/security/libp11/distinfo +++ b/security/libp11/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1734366816 -SHA256 (OpenSC-libp11-libp11-0.4.13_GH0.tar.gz) = 5e8e258c6a8e33155c3a2bd2bd7d12a758f82b7bda1f92e8b77075d16edc9889 -SIZE (OpenSC-libp11-libp11-0.4.13_GH0.tar.gz) = 148443 +TIMESTAMP = 1747212917 +SHA256 (OpenSC-libp11-libp11-0.4.14_GH0.tar.gz) = 99405d1b46bf48a990892676b7bc5597692adc53fc50f7bb19e83d03bd394b94 +SIZE (OpenSC-libp11-libp11-0.4.14_GH0.tar.gz) = 172631 diff --git a/security/libp11/files/patch-configure.ac b/security/libp11/files/patch-configure.ac index 42b316830aa1..d427d911cbc4 100644 --- a/security/libp11/files/patch-configure.ac +++ b/security/libp11/files/patch-configure.ac @@ -1,6 +1,6 @@ ---- configure.ac.orig 2024-12-13 18:13:57 UTC +--- configure.ac.orig 2025-05-13 21:17:57 UTC +++ configure.ac -@@ -208,7 +208,7 @@ fi +@@ -246,7 +246,7 @@ fi [Default PKCS#11 module.]) fi diff --git a/security/libp11/files/patch-src_Makefile.am b/security/libp11/files/patch-src_Makefile.am new file mode 100644 index 000000000000..f8e9be42f65a --- /dev/null +++ b/security/libp11/files/patch-src_Makefile.am @@ -0,0 +1,13 @@ +--- src/Makefile.am.orig 2025-05-14 13:58:16 UTC ++++ src/Makefile.am +@@ -4,8 +4,8 @@ EXTRA_DIST = Makefile.mak libp11.rc.in pkcs11.rc.in + CLEANFILES = libp11.pc + EXTRA_DIST = Makefile.mak libp11.rc.in pkcs11.rc.in + +-noinst_HEADERS= libp11-int.h pkcs11.h p11_pthread.h +-include_HEADERS= libp11.h p11_err.h util.h ++noinst_HEADERS= libp11-int.h pkcs11.h p11_pthread.h util.h ++include_HEADERS= libp11.h p11_err.h + if ENABLE_STATIC_ENGINE + lib_LTLIBRARIES = libp11.la libpkcs11.la + else diff --git a/security/libp11/pkg-plist b/security/libp11/pkg-plist index 73bea38f97d3..79526fa0f30a 100644 --- a/security/libp11/pkg-plist +++ b/security/libp11/pkg-plist @@ -2,10 +2,12 @@ include/libp11.h include/p11_err.h lib/engines/libpkcs11.so lib/engines/pkcs11.so +lib/ossl-modules/libpkcs11.so +lib/ossl-modules/pkcs11prov.so lib/libp11.a lib/libp11.so lib/libp11.so.3 -lib/libp11.so.3.6.0 +lib/libp11.so.3.7.0 lib/libpkcs11.a lib/libpkcs11.so lib/libpkcs11.so.0 @@ -15,6 +17,9 @@ libdata/pkgconfig/libp11.pc %%PORTEXAMPLES%%%%EXAMPLESDIR%%/README %%PORTEXAMPLES%%%%EXAMPLESDIR%%/auth.c %%PORTEXAMPLES%%%%EXAMPLESDIR%%/decrypt.c +%%PORTEXAMPLES%%%%EXAMPLESDIR%%/eckeygen.c %%PORTEXAMPLES%%%%EXAMPLESDIR%%/getrandom.c %%PORTEXAMPLES%%%%EXAMPLESDIR%%/listkeys.c %%PORTEXAMPLES%%%%EXAMPLESDIR%%/listkeys_ext.c +%%PORTEXAMPLES%%%%EXAMPLESDIR%%/rsakeygen.c +%%PORTEXAMPLES%%%%EXAMPLESDIR%%/storecert.c diff --git a/security/modsecurity3/Makefile b/security/modsecurity3/Makefile index 98a04a3147ba..15147e278ed0 100644 --- a/security/modsecurity3/Makefile +++ b/security/modsecurity3/Makefile @@ -1,6 +1,6 @@ PORTNAME= modsecurity DISTVERSIONPREFIX= v -DISTVERSION= 3.0.13 +DISTVERSION= 3.0.14 CATEGORIES= security www MASTER_SITES= https://github.com/owasp-modsecurity/ModSecurity/releases/download/v${PORTVERSION}/ PKGNAMESUFFIX= 3 diff --git a/security/modsecurity3/distinfo b/security/modsecurity3/distinfo index c039c9a54753..482023ee9036 100644 --- a/security/modsecurity3/distinfo +++ b/security/modsecurity3/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1726168534 -SHA256 (modsecurity-v3.0.13.tar.gz) = 86b4881164a161b822a49df3501e83b254323206906134bdc34a6f3338f4d3f2 -SIZE (modsecurity-v3.0.13.tar.gz) = 9677566 +TIMESTAMP = 1745827976 +SHA256 (modsecurity-v3.0.14.tar.gz) = f7599057b35e67ab61764265daddf9ab03c35cee1e55527547afb073ce8f04e8 +SIZE (modsecurity-v3.0.14.tar.gz) = 9755566 diff --git a/security/quantis-kmod/Makefile b/security/quantis-kmod/Makefile index dfe765e1d376..15b2f7cc4ca1 100644 --- a/security/quantis-kmod/Makefile +++ b/security/quantis-kmod/Makefile @@ -13,9 +13,7 @@ LICENSE= BSD3CLAUSE GPLv2 LICENSE_COMB= dual LICENSE_FILE= ${WRKDIR}/Quantis-${DISTVERSION}/License.txt -USES= kmod uidfix zip:infozip - -EXTRACT_BEFORE_ARGS= -aqo +USES= kmod uidfix zip WRKSRC= ${WRKDIR}/Quantis-${DISTVERSION}/Drivers/Unix/QuantisPci diff --git a/security/tpm2-abrmd/Makefile b/security/tpm2-abrmd/Makefile index 0e4b4e89641a..00e8255f5b4c 100644 --- a/security/tpm2-abrmd/Makefile +++ b/security/tpm2-abrmd/Makefile @@ -1,6 +1,6 @@ PORTNAME= tpm2-abrmd DISTVERSION= 3.0.0 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security MASTER_SITES= https://github.com/tpm2-software/tpm2-abrmd/releases/download/${DISTVERSION}/ @@ -17,7 +17,7 @@ RUN_DEPENDS= dbus-daemon:devel/dbus USES= gmake libtool pkgconfig gnome USE_LDCONFIG= yes USE_GNOME= glib20 -USE_RC_SUBR= tpm2-abrmd +USE_RC_SUBR= tpm2_abrmd GNU_CONFIGURE= yes GNU_CONFIGURE_MANPREFIX=${PREFIX}/share @@ -28,9 +28,6 @@ USERS= _tss SUB_LIST= DBUS_DAEMON=dbus -pre-install: - @${INSTALL_DATA} ${FILESDIR}/tpm2-abrmd-devd.conf ${STAGEDIR}${PREFIX}/etc/devd - post-install: @${RM} ${STAGEDIR}${PREFIX}/lib/systemd/system-preset/tpm2-abrmd.preset @${RM} ${STAGEDIR}${PREFIX}/lib/systemd/system/tpm2-abrmd.service diff --git a/security/tpm2-abrmd/files/patch-dist_tpm2-abrmd.conf b/security/tpm2-abrmd/files/patch-dist_tpm2-abrmd.conf index 755942458792..29c02ab9640d 100644 --- a/security/tpm2-abrmd/files/patch-dist_tpm2-abrmd.conf +++ b/security/tpm2-abrmd/files/patch-dist_tpm2-abrmd.conf @@ -1,25 +1,37 @@ --- dist/tpm2-abrmd.conf.orig 2022-05-09 15:39:53 UTC +++ dist/tpm2-abrmd.conf -@@ -2,7 +2,7 @@ +@@ -2,27 +2,25 @@ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <!-- ../system.conf have denied everything, so we just punch some holes --> - <policy user="tss"> -+ <policy user="_tss"> - <allow own="com.intel.tss2.Tabrmd"/> - </policy> +- <allow own="com.intel.tss2.Tabrmd"/> +- </policy> +- <policy user="root"> +- <allow own="com.intel.tss2.Tabrmd"/> +- </policy> + <!-- Match /dev/tpmrm0 permissions tss tss 0660 --> <policy user="root"> -@@ -17,11 +17,11 @@ <allow send_destination="com.intel.tss2.Tabrmd"/> <allow receive_sender="com.intel.tss2.Tabrmd"/> ++ <allow own="com.intel.tss2.Tabrmd"/> + </policy> +- <policy group="root"> ++ <policy group="wheel"> + <allow send_destination="com.intel.tss2.Tabrmd"/> + <allow receive_sender="com.intel.tss2.Tabrmd"/> ++ <allow own="com.intel.tss2.Tabrmd"/> </policy> - <policy user="tss"> + <policy user="_tss"> <allow send_destination="com.intel.tss2.Tabrmd"/> <allow receive_sender="com.intel.tss2.Tabrmd"/> ++ <allow own="com.intel.tss2.Tabrmd"/> </policy> - <policy group="tss"> + <policy group="_tss"> <allow send_destination="com.intel.tss2.Tabrmd"/> <allow receive_sender="com.intel.tss2.Tabrmd"/> ++ <allow own="com.intel.tss2.Tabrmd"/> </policy> + </busconfig> diff --git a/security/tpm2-abrmd/files/patch-src_response-sink.c b/security/tpm2-abrmd/files/patch-src_response-sink.c new file mode 100644 index 000000000000..a54debd6835a --- /dev/null +++ b/security/tpm2-abrmd/files/patch-src_response-sink.c @@ -0,0 +1,11 @@ +--- src/response-sink.c.orig 2025-02-22 21:59:15 UTC ++++ src/response-sink.c +@@ -188,7 +188,7 @@ response_sink_process_response (Tpm2Response *response + + g_debug ("%s: writing 0x%x bytes", __func__, size); + g_debug_bytes (buffer, size, 16, 4); +- written = write_all (ostream, buffer, size); ++ written = g_write_all (ostream, buffer, size); + g_object_unref (connection); + + return written; diff --git a/security/tpm2-abrmd/files/patch-src_tcti-tabrmd.c b/security/tpm2-abrmd/files/patch-src_tcti-tabrmd.c new file mode 100644 index 000000000000..4af7e9727b29 --- /dev/null +++ b/security/tpm2-abrmd/files/patch-src_tcti-tabrmd.c @@ -0,0 +1,11 @@ +--- src/tcti-tabrmd.c.orig 2025-02-22 21:59:15 UTC ++++ src/tcti-tabrmd.c +@@ -46,7 +46,7 @@ tss2_tcti_tabrmd_transmit (TSS2_TCTI_CONTEXT *context, + g_debug_bytes (command, size, 16, 4); + ostream = g_io_stream_get_output_stream (TSS2_TCTI_TABRMD_IOSTREAM (context)); + g_debug ("%s: blocking write on ostream", __func__); +- write_ret = write_all (ostream, command, size); ++ write_ret = g_write_all (ostream, command, size); + /* should switch on possible errors to translate to TSS2 error codes */ + switch (write_ret) { + case -1: diff --git a/security/tpm2-abrmd/files/patch-src_util.c b/security/tpm2-abrmd/files/patch-src_util.c new file mode 100644 index 000000000000..32c36126c75b --- /dev/null +++ b/security/tpm2-abrmd/files/patch-src_util.c @@ -0,0 +1,11 @@ +--- src/util.c.orig 2025-02-22 21:59:15 UTC ++++ src/util.c +@@ -68,7 +68,7 @@ ssize_t + /** Write as many of the size bytes from buf to fd as possible. + */ + ssize_t +-write_all (GOutputStream *ostream, ++g_write_all (GOutputStream *ostream, + const uint8_t *buf, + const size_t size) + { diff --git a/security/tpm2-abrmd/files/patch-src_util.h b/security/tpm2-abrmd/files/patch-src_util.h new file mode 100644 index 000000000000..2c8936779c7f --- /dev/null +++ b/security/tpm2-abrmd/files/patch-src_util.h @@ -0,0 +1,11 @@ +--- src/util.h.orig 2025-02-22 21:59:15 UTC ++++ src/util.h +@@ -79,7 +79,7 @@ typedef TSS2_RC (*KeyValueFunc) (const key_value_t* ke + #define TPMA_CC_RES(attrs) (attrs.val & 0xc0000000) + */ + +-ssize_t write_all (GOutputStream *ostream, ++ssize_t g_write_all (GOutputStream *ostream, + const uint8_t *buf, + const size_t size); + int read_data (GInputStream *istream, diff --git a/security/tpm2-abrmd/files/tpm2-abrmd-devd.conf b/security/tpm2-abrmd/files/tpm2-abrmd-devd.conf deleted file mode 100644 index f7f4091a25a5..000000000000 --- a/security/tpm2-abrmd/files/tpm2-abrmd-devd.conf +++ /dev/null @@ -1,9 +0,0 @@ -# Allow members of _tss group to access tpm device - -notify 100 { - match "system" "DEVFS"; - match "subsystem" "CDEV"; - match "type" "CREATE"; - match "cdev" "tpm[0-9]+"; - action "chgrp _tss /dev/tpm0; chmod g+rw /dev/tpm0"; -}; diff --git a/security/tpm2-abrmd/files/tpm2-abrmd.in b/security/tpm2-abrmd/files/tpm2_abrmd.in index 62d61d98b1d6..62d61d98b1d6 100644 --- a/security/tpm2-abrmd/files/tpm2-abrmd.in +++ b/security/tpm2-abrmd/files/tpm2_abrmd.in diff --git a/security/tpm2-abrmd/pkg-message b/security/tpm2-abrmd/pkg-message new file mode 100644 index 000000000000..cfc2c09fdf0b --- /dev/null +++ b/security/tpm2-abrmd/pkg-message @@ -0,0 +1,10 @@ +[ +{ type: install + message: <<EOM +Please add the following lines to /etc/devfs.conf as tpm2-abrmd needs /dev/tpm0 +to be mode 0660 and group _tss: +perm tpm0 0660 +own tpm0 root:_tss +EOM +} +] diff --git a/security/tpm2-abrmd/pkg-plist b/security/tpm2-abrmd/pkg-plist index d20a9a42b2ca..978d156f8219 100644 --- a/security/tpm2-abrmd/pkg-plist +++ b/security/tpm2-abrmd/pkg-plist @@ -1,6 +1,5 @@ include/tss2/tss2-tcti-tabrmd.h etc/dbus-1/system.d/tpm2-abrmd.conf -etc/devd/tpm2-abrmd-devd.conf lib/libtss2-tcti-tabrmd.a lib/libtss2-tcti-tabrmd.so lib/libtss2-tcti-tabrmd.so.0 diff --git a/security/tpm2-tss/Makefile b/security/tpm2-tss/Makefile index f02c6c5417b2..8d60a2b418bc 100644 --- a/security/tpm2-tss/Makefile +++ b/security/tpm2-tss/Makefile @@ -1,6 +1,6 @@ PORTNAME= tpm2-tss DISTVERSION= 4.0.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= https://github.com/tpm2-software/tpm2-tss/releases/download/${DISTVERSION}/ diff --git a/security/tpm2-tss/files/patch-src_tss2-esys_esys__context.c b/security/tpm2-tss/files/patch-src_tss2-esys_esys__context.c new file mode 100644 index 000000000000..d613ac6e7e64 --- /dev/null +++ b/security/tpm2-tss/files/patch-src_tss2-esys_esys__context.c @@ -0,0 +1,11 @@ +--- src/tss2-esys/esys_context.c.orig 2025-02-22 22:43:21 UTC ++++ src/tss2-esys/esys_context.c +@@ -26,7 +26,7 @@ + * If not specified, load a TCTI in this order: + * Library libtss2-tcti-default.so (link to the preferred TCTI) + * Library libtss2-tcti-tabrmd.so (tabrmd) +- * Device /dev/tpmrm0 (kernel resident resource manager) ++ * Device /dev/tpmrm0 (kernel resident resource manager, SKIPPED on FreeBSD) + * Device /dev/tpm0 (hardware TPM) + * TCP socket localhost:2321 (TPM simulator) + * @param esys_context [out] The ESYS_CONTEXT. diff --git a/security/tpm2-tss/files/patch-src_tss2-tcti_tcti-device.c b/security/tpm2-tss/files/patch-src_tss2-tcti_tcti-device.c new file mode 100644 index 000000000000..52a165e2a191 --- /dev/null +++ b/security/tpm2-tss/files/patch-src_tss2-tcti_tcti-device.c @@ -0,0 +1,12 @@ +--- src/tss2-tcti/tcti-device.c.orig 2023-01-23 18:36:16.000000000 +0000 ++++ src/tss2-tcti/tcti-device.c 2025-05-08 08:40:29.255475000 +0000 +@@ -61,7 +61,9 @@ + #ifdef __VXWORKS__ + "/tpm0" + #else ++#ifndef __FreeBSD__ + "/dev/tpmrm0", ++#endif /* __FreeBSD__ */ + "/dev/tpm0", + #endif /* __VX_WORKS__ */ + }; diff --git a/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-dl.c b/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-dl.c new file mode 100644 index 000000000000..9353fa36c133 --- /dev/null +++ b/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-dl.c @@ -0,0 +1,16 @@ +--- src/tss2-tcti/tctildr-dl.c.orig 2025-02-22 22:43:21 UTC ++++ src/tss2-tcti/tctildr-dl.c +@@ -37,11 +37,13 @@ struct { + .file = "libtss2-tcti-tabrmd.so.0", + .description = "Access libtss2-tcti-tabrmd.so", + }, ++#if !defined(__FreeBSD__) + { + .file = "libtss2-tcti-device.so.0", + .conf = "/dev/tpmrm0", + .description = "Access libtss2-tcti-device.so.0 with /dev/tpmrm0", + }, ++#endif + { + .file = "libtss2-tcti-device.so.0", + .conf = "/dev/tpm0", diff --git a/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-nodl.c b/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-nodl.c new file mode 100644 index 000000000000..219dee0c0639 --- /dev/null +++ b/security/tpm2-tss/files/patch-src_tss2-tcti_tctildr-nodl.c @@ -0,0 +1,11 @@ +--- src/tss2-tcti/tctildr-nodl.c.orig 2025-02-22 22:43:21 UTC ++++ src/tss2-tcti/tctildr-nodl.c +@@ -67,7 +67,7 @@ struct { + .init = Tss2_Tcti_Tbs_Init, + .description = "Access to TBS", + }, +-#elif defined (__VXWORKS__) ++#elif defined (__VXWORKS__) || defined(__FreeBSD__) + { + .names = { + "libtss2-tcti-device.so.0", diff --git a/security/tpm2-tss/files/patch-test_unit_tctildr-nodl.c b/security/tpm2-tss/files/patch-test_unit_tctildr-nodl.c new file mode 100644 index 000000000000..99090001bd2b --- /dev/null +++ b/security/tpm2-tss/files/patch-test_unit_tctildr-nodl.c @@ -0,0 +1,14 @@ +--- test/unit/tctildr-nodl.c.orig 2025-02-22 22:43:21 UTC ++++ test/unit/tctildr-nodl.c +@@ -65,9 +65,11 @@ test_tctildr_get_default_all_fail (void **state) + /* device:/dev/tpm0 */ + will_return (__wrap_tcti_from_init, tcti_ctx); + will_return (__wrap_tcti_from_init, TEST_RC); ++#if !defined (__FreeBSD__) + /* device:/dev/tpmrm0 */ + will_return (__wrap_tcti_from_init, tcti_ctx); + will_return (__wrap_tcti_from_init, TEST_RC); ++#endif + /* swtpm */ + will_return (__wrap_tcti_from_init, tcti_ctx); + will_return (__wrap_tcti_from_init, TEST_RC); diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index 8bcfd16d2c2e..b6bd8cf4938e 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,137 @@ + <vuln vid="52efdd56-30bd-11f0-81be-b42e991fc52e"> + <topic>Mozilla -- memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>138.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>128.10</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>138.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1951161%2C1952105"> + <p>Memory safety bugs present in Firefox 137, Thunderbird 137, + Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs + showed evidence of memory corruption and we presume that + with enough effort some of these could have been exploited + to run arbitrary code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4091</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-4091</url> + </references> + <dates> + <discovery>2025-04-29</discovery> + <entry>2025-05-14</entry> + </dates> + </vuln> + + <vuln vid="4f17db64-30bd-11f0-81be-b42e991fc52e"> + <topic>Mozilla -- memory corruption</topic> + <affects> + <package> + <name>firefox-esr</name> + <range><lt>128.10</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>128.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1894100"> + <p>Memory safety bug present in Firefox ESR 128.9, and + Thunderbird 128.9. This bug showed evidence of memory + corruption and we presume that with enough effort this could + have been exploited to run arbitrary code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4093</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-4093</url> + </references> + <dates> + <discovery>2025-04-29</discovery> + <entry>2025-05-14</entry> + </dates> + </vuln> + + <vuln vid="6f10b49d-07b1-4be4-8abf-edf880b16ad2"> + <topic>vscode -- security feature bypass vulnerability</topic> + <affects> + <package> + <name>vscode</name> + <range><lt>1.100.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>VSCode developers report:</p> + <blockquote cite="https://github.com/microsoft/vscode/security/advisories/GHSA-742r-ggwg-vqxm"> + <p>A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the #fetch tool in Chat, this scenario would require the attacker to convince an LLM (via prompt injection) to fetch the maliciously crafted URL but when fetched, the user would have no moment to confirm the flighting of the request.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-21264</cvename> + <url>https://github.com/microsoft/vscode/security/advisories/GHSA-742r-ggwg-vqxm</url> + <url>https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21264</url> + </references> + <dates> + <discovery>2025-05-13</discovery> + <entry>2025-05-14</entry> + </dates> + </vuln> + + <vuln vid="a96cd659-303e-11f0-94b5-54ee755069b5"> + <topic>libxslt -- multiple vulnerabilities</topic> + <affects> + <package> + <name>libxslt</name> + <range><lt>1.1.43</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>[CVE-2024-55549] Fix UAF related to excluded namespaces</h1> + <blockquote cite="https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"> + <p>xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.</p> + </blockquote> + <h1>[CVE-2025-24855] Fix use-after-free of XPath context node</h1> + <blockquote cite="https://gitlab.gnome.org/GNOME/libxslt/-/issues/128"> + <p>numbers.c in libxslt before 1.1.43 has a use-after-free because + , in nested XPath evaluations, an XPath context node can be + modified but never restored. This is related to + xsltNumberFormatGetValue, xsltEvalXPathPredicate, + xsltEvalXPathStringNs, and xsltComputeSortResultInternal.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-55549</cvename> + <cvename>CVE-2025-24855</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2024-55549</url> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-24855</url> + </references> + <dates> + <discovery>2025-03-13</discovery> + <entry>2025-05-13</entry> + </dates> + </vuln> + <vuln vid="89c668d5-2f80-11f0-9632-641c67a117d8"> <topic>www/varnish7 -- Request Smuggling Attack</topic> <affects> |