Greetings,
We're in a dependency mess with a high-profile port vulnerable and
unmaintained, <https://xkcd.com/2347/>, namely textproc/libxslt.
We also have five unpatched libxml2 vulnerabilities, I have not assessed
whether the patches are up for cherry-picking and whether they are
breaking changes or just implementation fixes.
Some of the patches discussed upstream in the issue trackers seem to
somehow break ABI and/or API and at least require recompilation of
users, so we can't just cherry-pick patches.
2945 port records in ports/INDEX-14 depend on libxslt (including
indirects, which has no maintainer, four known, of which two disclosed,
security vulnerabilities.
Shy of 300 ports files reference libxslt at a /usr/ports/*/*/* level,
counting five slashes like so:
rg libxslt /usr/ports -l | tr -cd $'/\n' | grep '^/////$' | wc -l
Some 100 ports reference xmlto or minixmlto, which also directly depend
on libxslt.
(I have committed a vuln.xml entry earlier.)
Tough times...
Matthias
--- Begin Message ---
The branch main has been updated by mandree:
URL:
https://cgit.FreeBSD.org/ports/commit/?id=dceb46fc8a6eea281dbafc46e6452a9d82550b09
commit dceb46fc8a6eea281dbafc46e6452a9d82550b09
Author: Matthias Andree <[email protected]>
AuthorDate: 2025-07-12 09:10:11 +0000
Commit: Matthias Andree <[email protected]>
CommitDate: 2025-07-12 09:13:36 +0000
textproc/libxml2, textproc/libxslt: vulnerable
Note that libxslt is vulnerable, unfixed, and without maintainer.
Two of four vulnerabilities have been fixed.
Note that libxml2 in our ports is vulnerable and there is no upstream
release fixing these bugs, they need cherry-picks.
Deprecate textproc/xmlto and textproc/minixmlto,
which both depend on the unmaintained and vulnerable libxslt.
I have filed https://pagure.io/xmlto/issue/15 to ask the xmlto
upstream to switch to different XML/XSLT libraries.
Two issues are undisclosed and do not seem to have a CVE assigned yet.
Security: CVE-2025-6021
Security: CVE-2025-6170
Security: CVE-2025-7424
Security: CVE-2025-7425
Security: CVE-2025-49794
Security: CVE-2025-49795
Security: CVE-2025-49795
Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/913
Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/931
Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/932
Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/933
Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/935
Security: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/144
Security: https://gitlab.gnome.org/GNOME/libxslt/-/issues/148
Security:
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt
Security: https://www.openwall.com/lists/oss-security/2025/06/16/6
---
security/vuxml/vuln/2025.xml | 107 +++++++++++++++++++++++++++++++++++++++++++
textproc/libxslt/Makefile | 3 ++
textproc/minixmlto/Makefile | 3 ++
textproc/xmlto/Makefile | 29 +++++++-----
4 files changed, 130 insertions(+), 12 deletions(-)
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index cbaccdd8f0ad..a37b43d29650 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,110 @@
+ <vuln vid="b0a3466f-5efc-11f0-ae84-99047d0a6bcc">
+ <topic>libxslt -- unmaintained, with multiple unfixed
vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libxslt</name>
+ <range><lt>2</lt></range> <!-- adjust should libxslt ever be fixed -->
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml";>
+ <p>Alan Coopersmith reports:</p>
+ <blockquote
cite="https://www.openwall.com/lists/oss-security/2025/07/11/2";>
+ <p>On 6/16/25 15:12, Alan Coopersmith wrote:</p>
+ <p><em>
+ BTW, users of libxml2 may also be using its sibling project,
libxslt,
+ which currently has no active maintainer, but has three unfixed
security issues
+ reported against it according to
+ <a
href="https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt";>
+
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</a>
+ </em></p>
+ <p>2 of the 3 have now been disclosed:</p>
+ <p>(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between
stylesheet and source nodes<br />
+ <a
href="https://gitlab.gnome.org/GNOME/libxslt/-/issues/139";>https://gitlab.gnome.org/GNOME/libxslt/-/issues/139</a>
+ <a
href="https://project-zero.issues.chromium.org/issues/409761909";>https://project-zero.issues.chromium.org/issues/409761909</a></p>
+ <p>(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused
by `atype` corruption<br />
+ <a
href="https://gitlab.gnome.org/GNOME/libxslt/-/issues/140";>https://gitlab.gnome.org/GNOME/libxslt/-/issues/140</a><br
/><a
href="https://project-zero.issues.chromium.org/issues/410569369";>https://project-zero.issues.chromium.org/issues/410569369</a></p>
+ <p>Engineers from Apple & Google have proposed patches in the
GNOME gitlab issues,
+ but neither has had a fix applied to the git repo since there is
currently no
+ maintainer for libxslt.</p>
+ </blockquote>
+ <p>Note that a fourth vulnerability was reported on June 18, 2025,
which remains undisclosed to date (GNOME libxslt issue 148, link below), see
+ <a
href="https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt";>
+
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</a>
+ </p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2025-7424</cvename>
+ <cvename>CVE-2025-7425</cvename>
+
<url>https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</url>
+ <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/139</url>
+ <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/140</url>
+ <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/144</url>
+ <url>https://gitlab.gnome.org/GNOME/libxslt/-/issues/148</url>
+
<url>https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988</url>
+ </references>
+ <dates>
+ <discovery>2025-04-10</discovery>
+ <entry>2025-07-12</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="abbc8912-5efa-11f0-ae84-99047d0a6bcc">
+ <topic>libxml2 -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libxml2</name>
+ <range><lt>3.0</lt></range> <!-- needs update once fixed version
appears -->
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml";>
+ <p>Alan Coopersmith reports:</p>
+ <blockquote
cite="https://www.openwall.com/lists/oss-security/2025/06/16/6";>
+ <p>As discussed in
+ <a
href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/913";>https://gitlab.gnome.org/GNOME/libxml2/-/issues/913</a>
the
+ security policy of libxml2 has been changed to disclose
vulnerabilities
+ before fixes are available so that people other than the maintainer
can
+ contribute to fixing security issues in this library.</p>
+ <p>As part of this, the following 5 CVE's have been disclosed
recently:</p>
+ <p>(CVE-2025-49794) Heap use after free (UAF) leads to Denial of
service (DoS)
+ <a
href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/931";>https://gitlab.gnome.org/GNOME/libxml2/-/issues/931</a>
[...]</p>
+ <p>(CVE-2025-49795) Null pointer dereference leads to Denial of
service (DoS)
+ <a
href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/932";>https://gitlab.gnome.org/GNOME/libxml2/-/issues/932</a>
[...]</p>
+ <p>(CVE-2025-49796) Type confusion leads to Denial of service (DoS)
+ <a
href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/933";>https://gitlab.gnome.org/GNOME/libxml2/-/issues/933</a>
[...]</p>
+ <p>For all three of the above, note that upstream is considering
removing Schematron support completely, as discussed in
+ <a
href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/935";>https://gitlab.gnome.org/GNOME/libxml2/-/issues/935</a>.</p>
+ <p>(CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in
xmlBuildQName()
+ <a
href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/926";>https://gitlab.gnome.org/GNOME/libxml2/-/issues/926</a>
[...]</p>
+ <p>(CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell
+ <a
href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/941";>https://gitlab.gnome.org/GNOME/libxml2/-/issues/941</a>
[...]</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2025-6021</cvename>
+ <cvename>CVE-2025-6170</cvename>
+ <cvename>CVE-2025-49794</cvename>
+ <cvename>CVE-2025-49795</cvename>
+ <cvename>CVE-2025-49795</cvename>
+ <url>https://www.openwall.com/lists/oss-security/2025/06/16/6</url>
+
<url>https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt</url>
+ <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/913</url>
+ <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/931</url>
+ <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/932</url>
+ <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/933</url>
+ <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/935</url>
+ <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/926</url>
+ <url>https://gitlab.gnome.org/GNOME/libxml2/-/issues/941</url>
+ </references>
+ <dates>
+ <discovery>2025-05-27</discovery>
+ <entry>2025-07-12</entry>
+ </dates>
+ </vuln>
+
<vuln vid="61d74f80-5e9e-11f0-8baa-8447094a420f">
<topic>mod_http2 -- Multiple vulnerabilities</topic>
<affects>
diff --git a/textproc/libxslt/Makefile b/textproc/libxslt/Makefile
index dcfd2041aefc..344606952e8f 100644
--- a/textproc/libxslt/Makefile
+++ b/textproc/libxslt/Makefile
@@ -12,6 +12,9 @@ WWW= https://gitlab.gnome.org/GNOME/libxslt/
LICENSE= MIT
LICENSE_FILE= ${WRKSRC}/Copyright
+DEPRECATED= unmaintained with multiple unfixed security vulnerabilities
+EXPIRATION_DATE=2025-09-12
+
# See note in textproc/libxml2 for why this port uses autotools
USES= cpe gmake gnome libtool localbase:ldflags pathfix pkgconfig
tar:xz
CPE_VENDOR= xmlsoft
diff --git a/textproc/minixmlto/Makefile b/textproc/minixmlto/Makefile
index 0f7b3a058b33..351240e79858 100644
--- a/textproc/minixmlto/Makefile
+++ b/textproc/minixmlto/Makefile
@@ -9,6 +9,9 @@ WWW= https://github.com/bapt/minixmlto
LICENSE= BSD2CLAUSE
+DEPRECATED= Depends on vulnerable unmaintained libxslt
+EXPIRATION_DATE=2025-09-12
+
RUN_DEPENDS= docbook-xsl>0:textproc/docbook-xsl \
xsltproc:textproc/libxslt \
html2text:textproc/html2text \
diff --git a/textproc/xmlto/Makefile b/textproc/xmlto/Makefile
index cd2e6c55d175..278d599474d7 100644
--- a/textproc/xmlto/Makefile
+++ b/textproc/xmlto/Makefile
@@ -17,6 +17,9 @@ WWW= https://pagure.io/xmlto/
LICENSE= GPLv2
+DEPRECATED= Depends on vulnerable unmaintained libxslt
+EXPIRATION_DATE=2025-09-12
+
BUILD_DEPENDS= ${BASH_CMD}:shells/bash \
${GETOPT_CMD}:misc/getopt \
xmllint:textproc/libxml2 \
@@ -27,8 +30,19 @@ BUILD_DEPENDS= ${BASH_CMD}:shells/bash \
docbook-xml>0:textproc/docbook-xml
RUN_DEPENDS:= ${BUILD_DEPENDS}
+USES= tar:bzip2
+GNU_CONFIGURE= yes
+GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
+CONFIGURE_ARGS= BASH=${BASH_CMD} GETOPT=${GETOPT_CMD}
PDFXMLTEX=${PDFXMLTEX_CMD}
+MAKE_ENV+= HOME=/dev/null
+
SUB_FILES= pkg-message
+PORTDOCS= AUTHORS ChangeLog NEWS THANKS
+# these documentation files do not convey information useful for
+# the FreeBSD port at this time, or are provided by the ports framework:
+# PORTDOCS+= COPYING FAQ README
+
OPTIONS_DEFINE= DOCS
OPTIONS_GROUP= BACKEND
OPTIONS_GROUP_BACKEND= DBLATEX FOP PASSIVETEX
@@ -37,21 +51,12 @@ DBLATEX_DESC= Add dependency on DBlatex (DB
for DocBook)
FOP_DESC= Add dependency on FOP (requires Java)
PASSIVETEX_DESC= Add dependency on XMLTeX/PassiveTeX
-USES= tar:bzip2
-GNU_CONFIGURE= yes
-GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
-CONFIGURE_ARGS= BASH=${BASH_CMD} GETOPT=${GETOPT_CMD}
PDFXMLTEX=${PDFXMLTEX_CMD}
-MAKE_ENV+= HOME=/dev/null
-
BASH_CMD= ${LOCALBASE}/bin/bash
GETOPT_CMD= ${LOCALBASE}/bin/getopt
-XSL_DIR= ${LOCALBASE}/share/xsl/docbook
PDFXMLTEX_CMD= ${LOCALBASE}/bin/pdftex
-
-PORTDOCS= AUTHORS ChangeLog NEWS THANKS
-# these documentation files do not convey information useful for
-# the FreeBSD port at this time, or are provided by the ports framework:
-# PORTDOCS+= COPYING FAQ README
+.ifnmake portclippy
+XSL_DIR= ${LOCALBASE}/share/xsl/docbook
+.endif
.include <bsd.port.pre.mk>
--- End Message ---
