Page MenuHomeFreeBSD

devel/upp: update to 11873
ClosedPublic

Authored by fernape on Jun 26 2018, 6:14 PM.

Details

Summary

Sent via PR 227414
Maintainer already timed out

I had to add -msse2 to make it compile in i386

Test Plan
  • portlint -AC OK
  • poudriere builds for {10.4,11.1}{amd64,i386}, 12i386 OK
  • run test in 11.1 amd64 OK

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

You should first commit an entry to vuln.xml: https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html (you can prepare the change in this review here so that it is all together)

There is a shorthand for the Makefile logic: CXXFLAGS_i386= -msse2

  • Simplify usage of architecture specific CXXFLAGS
  • Add vuxml entry. There was already an entry for the SQLite sec. advisory. I based mine on that one.
devel/upp/Makefile
132 ↗(On Diff #44490)

or add -o -name '*.orig' to the find(1) speficications just above.

Improve handling of .orig files.

security/vuxml/vuln.xml
67 ↗(On Diff #44532)

^ this would affect the new version too

security/vuxml/vuln.xml
67 ↗(On Diff #44532)

The new version has it fixed with files/patch-uppsrc_plugin_sqlite3_lib_sqlite3.c

you misunderstood; i mean this

> pkg audit -f security/vuxml/vuln.xml `make -VPKGNAME -C devel/upp`
upp-11873 is vulnerable:
SQLite -- Corrupt DB can cause a NULL pointer dereference
CVE: CVE-2018-8740
WWW: https://vuxml.FreeBSD.org/freebsd/c1630aa3-7970-11e8-8634-dcfe074bd614.html

1 problem(s) in the installed packages found.

you misunderstood; i mean this

:O yes, I did! :-)

I fixed the vuxml entry.

> pkg audit -f security/vuxml/vuln.xml `make -VPKGNAME -C devel/upp`
upp-11873 is vulnerable:
SQLite -- Corrupt DB can cause a NULL pointer dereference
CVE: CVE-2018-8740
WWW: https://vuxml.FreeBSD.org/freebsd/c1630aa3-7970-11e8-8634-dcfe074bd614.html

1 problem(s) in the installed packages found.
This revision is now accepted and ready to land.Jul 15 2018, 8:44 AM
This revision was automatically updated to reflect the committed changes.