From nobody@FreeBSD.org  Wed May  5 18:42:32 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 19F72106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 May 2010 18:42:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 0B15F8FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  5 May 2010 18:42:32 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o45IgVF3021864
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 5 May 2010 18:42:31 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o45IgV8d021863;
	Wed, 5 May 2010 18:42:31 GMT
	(envelope-from nobody)
Message-Id: <201005051842.o45IgV8d021863@www.freebsd.org>
Date: Wed, 5 May 2010 18:42:31 GMT
From: Niels Heinen <niels@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [security] devel/lxr XSS vulnerabilities
X-Send-Pr-Version: www-3.1
X-GNATS-Notify: rea-fbsd@codelabs.ru

>Number:         146337
>Category:       ports
>Synopsis:       [security] devel/lxr XSS vulnerabilities
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    niels
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 05 18:50:02 UTC 2010
>Closed-Date:    Fri May 28 19:08:44 UTC 2010
>Last-Modified:  Fri May 28 19:08:44 UTC 2010
>Originator:     Niels Heinen
>Release:        8.0-STABLE
>Organization:
>Environment:
>Description:


From the bug report:

There are several cross-site scripting vulnerabilities in LXR.  These
vulnerabilities could allow an attacker to execute scripts in a user's
browser, steal cookies associated with vulnerable domains,
redirect the user to malicious websites, etc.

This PR is to request a port upgrade. A VuXML entry will be committed shortly and therefore the port will be marked vulnerable until this PR is solved.

>How-To-Repeat:
N/A
>Fix:

Two actions are required:

1) Please upgrade to port to version 0.9.8 (fixes CVE-2009-4497)
2) Apply the following patch:
   http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.63&r2=1.64

Thanks in advance!
Niels

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->niels 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Wed May 5 18:50:12 UTC 2010 
Responsible-Changed-Why:  
Submitter has GNATS access (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146337 
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Wed May 5 18:50:16 UTC 2010 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146337 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: rea-fbsd@codelabs.ru
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Wed, 5 May 2010 18:50:15 UT

 Maintainer of devel/lxr,
 
 Please note that PR ports/146337 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/146337
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/146337: commit references a PR
Date: Wed,  5 May 2010 19:12:52 +0000 (UTC)

 niels       2010-05-05 19:12:37 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/vuxml       vuln.xml 
   Log:
   - Added mediawiki and lxr vulnerabilities
   - Fixed vlc topic format (lower case, portname first)
   
   PR:             ports/146337
   Approved by:    itetcu (mentor, implicit)
   Security:       http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
   Security:       http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com
   
   Revision  Changes    Path
   1.2154    +69 -2     ports/security/vuxml/vuln.xml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Thu, 6 May 2010 22:56:27 +0400

 Wed, May 05, 2010 at 06:50:15PM +0000, Edwin Groothuis wrote:
 > Please note that PR ports/146337 has just been submitted.
 
 Upgraded port to 0.9.8 and now it is being tested inside the local
 Tinderbox and at my own LXR instances.  Will try to roll out the
 patch before tomorrow.
 -- 
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
     {_.-``-'         {_/            #

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Niels Heinen <niels@FreeBSD.org>
Cc: bug-followup@freebsd.org
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Fri, 7 May 2010 10:15:22 +0400

 Niels, good day.
 
 Thu, May 06, 2010 at 09:23:46PM +0200, Niels Heinen wrote:
 > Thats great news and thanks for the quick response !
 
 No problems, but the news aren't good as expected: 0.9.8 is terribly
 messed up and nearly unusable.  So, I bumped the port to 0.9.6_1
 applying two security patches for the Common.pm.  The patch is at
   http://codelabs.ru/fbsd/ports/lxr/0.9.6-fix-CVE-2009-4497.diff
 VUXML entry needs no fixing, because the version specification is
 '<= 0.9.6', so 0.9.6_1 will be already fine.
 
 I am working on the upgrade to 0.9.8, but this will take up some
 time: looks like people from LXR are not testing their code at all,
 because it is broken all over the place.
 
 Thanks!
 -- 
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
     {_.-``-'         {_/            #

From: Niels Heinen <niels@FreeBSD.org>
To: rea-fbsd@codelabs.ru
Cc: bug-followup@freebsd.org
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Fri, 07 May 2010 12:26:01 +0200

 Thanks. The patch looks ok. I only added the remove of the new .orig
 files which were (and should) not be in pkg-plist.
 
 Shall I commit this one then?
 
 http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
 http://people.freebsd.org/~niels/ports/diffs/lxr-0.9.6_1.diff
 
 Niels
 
 On 05/07/10 08:15, Eygene Ryabinkin wrote:
 > Niels, good day.
 > 
 > Thu, May 06, 2010 at 09:23:46PM +0200, Niels Heinen wrote:
 >> Thats great news and thanks for the quick response !
 > 
 > No problems, but the news aren't good as expected: 0.9.8 is terribly
 > messed up and nearly unusable.  So, I bumped the port to 0.9.6_1
 > applying two security patches for the Common.pm.  The patch is at
 >   http://codelabs.ru/fbsd/ports/lxr/0.9.6-fix-CVE-2009-4497.diff
 > VUXML entry needs no fixing, because the version specification is
 > '<= 0.9.6', so 0.9.6_1 will be already fine.
 > 
 > I am working on the upgrade to 0.9.8, but this will take up some
 > time: looks like people from LXR are not testing their code at all,
 > because it is broken all over the place.
 > 
 > Thanks!
 
 -- 
 Niels Heinen
 FreeBSD committer | www.freebsd.org
 PGP: 0x5FE39B80
 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Niels Heinen <niels@FreeBSD.org>
Cc: bug-followup@freebsd.org
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Fri, 7 May 2010 18:44:31 +0400

 Niels,
 
 Fri, May 07, 2010 at 12:26:01PM +0200, Niels Heinen wrote:
 > Thanks. The patch looks ok. I only added the remove of the new .orig
 > files which were (and should) not be in pkg-plist.
 > 
 > Shall I commit this one then?
 > 
 > http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
 > http://people.freebsd.org/~niels/ports/diffs/lxr-0.9.6_1.diff
 
 The removal of the .orig files is good, but it is redundant in the
 current version of the Makefile: it has the following lines for the
 install target ("do-install"):
 {{{
 	${TAR} -C ${WRKSRC}/lib -cf - --exclude *.orig LXR | ${TAR} -C ${PREFIX}/${SITE_PERL_REL} -xf -
 	${TAR} -C ${WRKSRC} -cf - --exclude *.orig templates | ${TAR} -C ${LXRDIR} -xf -
 }}}
 So, .orig files will only live inside WRKSRC, they won't be installed
 and so, they (obviously) aren't specified in the pkg-plist.
 
 But may be I am missing something?
 -- 
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
     {_.-``-'         {_/            #

From: Niels Heinen <bsd@heinen.ws>
To: "rea-fbsd@codelabs.ru" <rea-fbsd@codelabs.ru>
Cc: Niels Heinen <niels@FreeBSD.org>,
 "bug-followup@freebsd.org" <bug-followup@freebsd.org>
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Fri, 7 May 2010 17:44:04 +0200

 Its not duplicate because the current makefile removes the .orig from  
 the distfile during extraction. My change cleans up the .origs that  
 are created by   'patch' (when applying the patchfiles) so that these  
 aren't installed.
 
 I have to give credits to tinderbox ;)
 
 
 
 Sent from my mobile
 
 Op 7 mei 2010 om 16:44 heeft Eygene Ryabinkin <rea-fbsd@codelabs.ru>  
 het volgende geschreven:\
 
 > Niels,
 >
 > Fri, May 07, 2010 at 12:26:01PM +0200, Niels Heinen wrote:
 >> Thanks. The patch looks ok. I only added the remove of the new .orig
 >> files which were (and should) not be in pkg-plist.
 >>
 >> Shall I commit this one then?
 >>
 >> http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
 >> http://people.freebsd.org/~niels/ports/diffs/lxr-0.9.6_1.diff
 >
 > The removal of the .orig files is good, but it is redundant in the
 > current version of the Makefile: it has the following lines for the
 > install target ("do-install"):
 > {{{
 >    ${TAR} -C ${WRKSRC}/lib -cf - --exclude *.orig LXR | ${TAR} -C $ 
 > {PREFIX}/${SITE_PERL_REL} -xf -
 >    ${TAR} -C ${WRKSRC} -cf - --exclude *.orig templates | ${TAR} -C $ 
 > {LXRDIR} -xf -
 > }}}
 > So, .orig files will only live inside WRKSRC, they won't be installed
 > and so, they (obviously) aren't specified in the pkg-plist.
 >
 > But may be I am missing something?
 > -- 
 > Eygene
 > _                ___       _.--.   #
 > \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 > /  ' `         ,       __.--'      #  to read the on-line manual
 > )/' _/     \   `-_,   /            #  while single-stepping the  
 > kernel.
 > `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
 >     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
 >    {_.-``-'         {_/            #

From: "rea-fbsd@codelabs.ru" <rea-fbsd@codelabs.ru>
To: Niels Heinen <bsd@heinen.ws>
Cc: Niels Heinen <niels@FreeBSD.org>,
	"bug-followup@freebsd.org" <bug-followup@freebsd.org>
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Fri, 7 May 2010 20:21:46 +0400

 Niels,
 
 Fri, May 07, 2010 at 05:44:04PM +0200, Niels Heinen wrote:
 > Its not duplicate because the current makefile removes the .orig from  
 > the distfile during extraction. My change cleans up the .origs that  
 > are created by   'patch' (when applying the patchfiles) so that these  
 > aren't installed.
 
 Please, note that the 'install' phase is completely done by the
 port's Makefile (not the LXR Makefile), so you can't refer to the
 LXR's makefiles -- they are just not used.
 
 > I have to give credits to tinderbox ;)
 
 Please, look at your tinderbox's logs at
   http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
 section 'phase 6: make install' and you'll see what I am talking
 about.
 
 May be you meant that you had some errors with my patch?  If yes,
 can you show the logs or anything?
 
 Thanks.
 -- 
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
     {_.-``-'         {_/            #

From: Niels Heinen <niels@FreeBSD.org>
To: rea-fbsd@codelabs.ru
Cc: "bug-followup@freebsd.org" <bug-followup@freebsd.org>
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Fri, 07 May 2010 19:53:52 +0200

 > 
 > May be you meant that you had some errors with my patch?  If yes,
 > can you show the logs or anything?
 > 
 
 Hi Eygene,
 
 I've rebuild the package without my modifications and now the .orig
 files are not removed. Please reload the log file to see the error:
 
 http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
 
 Can you please check this ?
 
 Niels
 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Niels Heinen <niels@FreeBSD.org>
Cc: "bug-followup@freebsd.org" <bug-followup@freebsd.org>
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Sun, 9 May 2010 19:53:27 +0400

 Niels, good day.
 
 Fri, May 07, 2010 at 07:53:52PM +0200, Niels Heinen wrote:
 > I've rebuild the package without my modifications and now the .orig
 > files are not removed. Please reload the log file to see the error:
 > 
 > http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
 > 
 > Can you please check this ?
 
 My Tinderbox shows no such error, but I have one idea
 what can go wrong: shell metacharacters could be substituted.
 Please, try this additional patch at your Tindy:
    http://codelabs.ru/fbsd/ports/lxr/0.9.6-use-wildcard-quoting.diff
 
 Thanks for you patience!
 -- 
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
     {_.-``-'         {_/            #

From: Niels Heinen <niels@FreeBSD.org>
To: rea-fbsd@codelabs.ru
Cc: "bug-followup@freebsd.org" <bug-followup@freebsd.org>
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Tue, 11 May 2010 20:07:57 +0200

 Yes that works.. pffheeww ;-)))
 
 Shall I commit ?
 
 Thanks!
 Niels
 
 On 05/09/10 17:53, Eygene Ryabinkin wrote:
 > Niels, good day.
 > 
 > Fri, May 07, 2010 at 07:53:52PM +0200, Niels Heinen wrote:
 >> I've rebuild the package without my modifications and now the .orig
 >> files are not removed. Please reload the log file to see the error:
 >>
 >> http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
 >>
 >> Can you please check this ?
 > 
 > My Tinderbox shows no such error, but I have one idea
 > what can go wrong: shell metacharacters could be substituted.
 > Please, try this additional patch at your Tindy:
 >    http://codelabs.ru/fbsd/ports/lxr/0.9.6-use-wildcard-quoting.diff
 > 
 > Thanks for you patience!
 
 -- 
 Niels Heinen
 FreeBSD committer | www.freebsd.org
 PGP: 0x5FE39B80
 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Niels Heinen <niels@FreeBSD.org>
Cc: "bug-followup@freebsd.org" <bug-followup@freebsd.org>
Subject: Re: ports/146337: [security] devel/lxr XSS vulnerabilities
Date: Wed, 12 May 2010 08:36:15 +0400

 Tue, May 11, 2010 at 08:07:57PM +0200, Niels Heinen wrote:
 > Yes that works.. pffheeww ;-)))
 
 Cool, thanks for the testing!
 
 > Shall I commit ?
 
 Sure!
 -- 
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
     {_.-``-'         {_/            #

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/146337: commit references a PR
Date: Wed, 12 May 2010 09:14:09 +0000 (UTC)

 niels       2010-05-12 09:13:54 UTC
 
   FreeBSD ports repository
 
   Modified files:
     devel/lxr            Makefile 
   Added files:
     devel/lxr/files      patch-CVE-2009-4497 
                          patch-fix-clean_identifier 
   Removed files:
     devel/lxr/files      fix-perl-warnings.patch 
   Log:
   Added security patch for XSS vulnerability (CVE-2009-4497)
   
   PR:             ports/146337
   Submitted by:   Eygene Ryabinkin (maintainer)
   Approved by:    itetcu (mentor, implicit)
   Security:       http://www.vuxml.org/freebsd/0491d15a-5875-11df-8d80-0015587e2cc1.html
   
   Revision  Changes    Path
   1.3       +4 -4      ports/devel/lxr/Makefile
   1.2       +0 -127    ports/devel/lxr/files/fix-perl-warnings.patch (dead)
   1.1       +14 -0     ports/devel/lxr/files/patch-CVE-2009-4497 (new)
   1.1       +20 -0     ports/devel/lxr/files/patch-fix-clean_identifier (new)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->closed 
State-Changed-By: niels 
State-Changed-When: Fri May 28 19:08:16 UTC 2010 
State-Changed-Why:  

Committed and fixed 



http://www.freebsd.org/cgi/query-pr.cgi?pr=146337 
>Unformatted:
