From dceb46fc8a6eea281dbafc46e6452a9d82550b09 Mon Sep 17 00:00:00 2001
From: Matthias Andree <mandree@FreeBSD.org>
Date: Sat, 12 Jul 2025 11:10:11 +0200
Subject: textproc/libxml2, textproc/libxslt: vulnerable

Note that libxslt is vulnerable, unfixed, and without maintainer.
Two of four vulnerabilities have been fixed.

Note that libxml2 in our ports is vulnerable and there is no upstream
release fixing these bugs, they need cherry-picks.

Deprecate textproc/xmlto and textproc/minixmlto,
which both depend on the unmaintained and vulnerable libxslt.
I have filed https://pagure.io/xmlto/issue/15 to ask the xmlto
upstream to switch to different XML/XSLT libraries.

Two issues are undisclosed and do not seem to have a CVE assigned yet.

Security:	CVE-2025-6021
Security:	CVE-2025-6170
Security:	CVE-2025-7424
Security:	CVE-2025-7425
Security:	CVE-2025-49794
Security:	CVE-2025-49795
Security:	CVE-2025-49795
Security:	https://gitlab.gnome.org/GNOME/libxml2/-/issues/913
Security:	https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
Security:	https://gitlab.gnome.org/GNOME/libxml2/-/issues/931
Security:	https://gitlab.gnome.org/GNOME/libxml2/-/issues/932
Security:	https://gitlab.gnome.org/GNOME/libxml2/-/issues/933
Security:	https://gitlab.gnome.org/GNOME/libxml2/-/issues/935
Security:	https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
Security:	https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
Security:	https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
Security:	https://gitlab.gnome.org/GNOME/libxslt/-/issues/144
Security:	https://gitlab.gnome.org/GNOME/libxslt/-/issues/148
Security:	https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt
Security:	https://www.openwall.com/lists/oss-security/2025/06/16/6
---
 security/vuxml/vuln/2025.xml | 107 +++++++++++++++++++++++++++++++++++++++++++
 textproc/libxslt/Makefile    |   3 ++
 textproc/minixmlto/Makefile  |   3 ++
 textproc/xmlto/Makefile      |  29 +++++++-----
 4 files changed, 130 insertions(+), 12 deletions(-)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index cbaccdd8f0ad..a37b43d29650 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,110 @@
+  <vuln vid="b0a3466f-5efc-11f0-ae84-99047d0a6bcc">
+    <topic>libxslt -- unmaintained, with multiple unfixed vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>libxslt</name>
+	<range><lt>2</lt></range> <!-- adjust should libxslt ever be fixed -->
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Alan Coopersmith reports:</p>
+	<blockquote cite="https://www.openwall.com/lists/oss-security/2025/07/11/2">
+	  <p>On 6/16/25 15:12, Alan Coopersmith wrote:</p>
+	  <p><em>
+	    BTW, users of libxml2 may also be using its sibling project, libxslt,
+	    which currently has no active maintainer, but has three unfixed security issues
+	    reported against it according to
+	    <a href="https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt">
+		https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</a>
+	  </em></p>
+	  <p>2 of the 3 have now been disclosed:</p>
+	  <p>(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes<br />
+	    <a href="https://gitlab.gnome.org/GNOME/libxslt/-/issues/139">https://gitlab.gnome.org/GNOME/libxslt/-/issues/139</a>
+	    <a href="https://project-zero.issues.chromium.org/issues/409761909">https://project-zero.issues.chromium.org/issues/409761909</a></p>
+	  <p>(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption<br />
+	    <a href="https://gitlab.gnome.org/GNOME/libxslt/-/issues/140">https://gitlab.gnome.org/GNOME/libxslt/-/issues/140</a><br /><a href="https://project-zero.issues.chromium.org/issues/410569369">https://project-zero.issues.chromium.org/issues/410569369</a></p>
+	  <p>Engineers from Apple &amp; Google have proposed patches in the GNOME gitlab issues,
+	  but neither has had a fix applied to the git repo since there is currently no
+	    maintainer for libxslt.</p>
+	</blockquote>
+	<p>Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see
+	  <a href="https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt">
+	    https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</a>
+	</p>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-7424</cvename>
+      <cvename>CVE-2025-7425</cvename>
+      <url>https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/139</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/140</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/144</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/148</url>
+      <url>https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988</url>
+    </references>
+    <dates>
+      <discovery>2025-04-10</discovery>
+      <entry>2025-07-12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="abbc8912-5efa-11f0-ae84-99047d0a6bcc">
+    <topic>libxml2 -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>libxml2</name>
+	<range><lt>3.0</lt></range> <!-- needs update once fixed version appears -->
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Alan Coopersmith reports:</p>
+	<blockquote cite="https://www.openwall.com/lists/oss-security/2025/06/16/6">
+	  <p>As discussed in
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/913">https://gitlab.gnome.org/GNOME/libxml2/-/issues/913</a> the
+	  security policy of libxml2 has been changed to disclose vulnerabilities
+	  before fixes are available so that people other than the maintainer can
+	    contribute to fixing security issues in this library.</p>
+	  <p>As part of this, the following 5 CVE's have been disclosed recently:</p>
+	  <p>(CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS)
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/931">https://gitlab.gnome.org/GNOME/libxml2/-/issues/931</a> [...]</p>
+	  <p>(CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS)
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/932">https://gitlab.gnome.org/GNOME/libxml2/-/issues/932</a> [...]</p>
+	  <p>(CVE-2025-49796) Type confusion leads to Denial of service (DoS)
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/933">https://gitlab.gnome.org/GNOME/libxml2/-/issues/933</a> [...]</p>
+	  <p>For all three of the above, note that upstream is considering removing Schematron support completely, as discussed in
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/935">https://gitlab.gnome.org/GNOME/libxml2/-/issues/935</a>.</p>
+	  <p>(CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName()
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/926">https://gitlab.gnome.org/GNOME/libxml2/-/issues/926</a> [...]</p>
+	  <p>(CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell
+	    <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/941">https://gitlab.gnome.org/GNOME/libxml2/-/issues/941</a> [...]</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-6021</cvename>
+      <cvename>CVE-2025-6170</cvename>
+      <cvename>CVE-2025-49794</cvename>
+      <cvename>CVE-2025-49795</cvename>
+      <cvename>CVE-2025-49795</cvename>
+      <url>https://www.openwall.com/lists/oss-security/2025/06/16/6</url>
+      <url>https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/913</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/931</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/932</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/933</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/935</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/926</url>
+      <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/941</url>
+    </references>
+    <dates>
+      <discovery>2025-05-27</discovery>
+      <entry>2025-07-12</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="61d74f80-5e9e-11f0-8baa-8447094a420f">
     <topic>mod_http2 -- Multiple vulnerabilities</topic>
     <affects>
diff --git a/textproc/libxslt/Makefile b/textproc/libxslt/Makefile
index dcfd2041aefc..344606952e8f 100644
--- a/textproc/libxslt/Makefile
+++ b/textproc/libxslt/Makefile
@@ -12,6 +12,9 @@ WWW=		https://gitlab.gnome.org/GNOME/libxslt/
 LICENSE=	MIT
 LICENSE_FILE=	${WRKSRC}/Copyright
 
+DEPRECATED=	unmaintained with multiple unfixed security vulnerabilities
+EXPIRATION_DATE=2025-09-12
+
 # See note in textproc/libxml2 for why this port uses autotools
 USES=		cpe gmake gnome libtool localbase:ldflags pathfix pkgconfig tar:xz
 CPE_VENDOR=	xmlsoft
diff --git a/textproc/minixmlto/Makefile b/textproc/minixmlto/Makefile
index 0f7b3a058b33..351240e79858 100644
--- a/textproc/minixmlto/Makefile
+++ b/textproc/minixmlto/Makefile
@@ -9,6 +9,9 @@ WWW=		https://github.com/bapt/minixmlto
 
 LICENSE=	BSD2CLAUSE
 
+DEPRECATED=     Depends on vulnerable unmaintained libxslt
+EXPIRATION_DATE=2025-09-12
+
 RUN_DEPENDS=	docbook-xsl>0:textproc/docbook-xsl \
 		xsltproc:textproc/libxslt \
 		html2text:textproc/html2text \
diff --git a/textproc/xmlto/Makefile b/textproc/xmlto/Makefile
index cd2e6c55d175..278d599474d7 100644
--- a/textproc/xmlto/Makefile
+++ b/textproc/xmlto/Makefile
@@ -17,6 +17,9 @@ WWW=		https://pagure.io/xmlto/
 
 LICENSE=	GPLv2
 
+DEPRECATED=	Depends on vulnerable unmaintained libxslt
+EXPIRATION_DATE=2025-09-12
+
 BUILD_DEPENDS=	${BASH_CMD}:shells/bash \
 		${GETOPT_CMD}:misc/getopt \
 		xmllint:textproc/libxml2 \
@@ -27,8 +30,19 @@ BUILD_DEPENDS=	${BASH_CMD}:shells/bash \
 		docbook-xml>0:textproc/docbook-xml
 RUN_DEPENDS:=	${BUILD_DEPENDS}
 
+USES=		tar:bzip2
+GNU_CONFIGURE=	yes
+GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
+CONFIGURE_ARGS=	BASH=${BASH_CMD} GETOPT=${GETOPT_CMD} PDFXMLTEX=${PDFXMLTEX_CMD}
+MAKE_ENV+=	HOME=/dev/null
+
 SUB_FILES=	pkg-message
 
+PORTDOCS=	AUTHORS ChangeLog NEWS THANKS
+# these documentation files do not convey information useful for
+# the FreeBSD port at this time, or are provided by the ports framework:
+# PORTDOCS+=	COPYING FAQ README
+
 OPTIONS_DEFINE=	DOCS
 OPTIONS_GROUP=		BACKEND
 OPTIONS_GROUP_BACKEND=		DBLATEX FOP PASSIVETEX
@@ -37,21 +51,12 @@ DBLATEX_DESC=		Add dependency on DBlatex (DB for DocBook)
 FOP_DESC=		Add dependency on FOP (requires Java)
 PASSIVETEX_DESC=	Add dependency on XMLTeX/PassiveTeX
 
-USES=		tar:bzip2
-GNU_CONFIGURE=	yes
-GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
-CONFIGURE_ARGS=	BASH=${BASH_CMD} GETOPT=${GETOPT_CMD} PDFXMLTEX=${PDFXMLTEX_CMD}
-MAKE_ENV+=	HOME=/dev/null
-
 BASH_CMD=	${LOCALBASE}/bin/bash
 GETOPT_CMD=	${LOCALBASE}/bin/getopt
-XSL_DIR=	${LOCALBASE}/share/xsl/docbook
 PDFXMLTEX_CMD=	${LOCALBASE}/bin/pdftex
-
-PORTDOCS=	AUTHORS ChangeLog NEWS THANKS
-# these documentation files do not convey information useful for
-# the FreeBSD port at this time, or are provided by the ports framework:
-# PORTDOCS+=	COPYING FAQ README
+.ifnmake portclippy
+XSL_DIR=	${LOCALBASE}/share/xsl/docbook
+.endif
 
 .include <bsd.port.pre.mk>
 
-- 
cgit v1.2.3