diff options
| author | tron <tron@pkgsrc.org> | 2014-05-21 13:34:55 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2014-05-21 13:34:55 +0000 |
| commit | 9c021b3da27ad57c38b84720971521a35ca6622a (patch) | |
| tree | 5db0112825c6319ed34c1fe69591707cb7793fec | |
| parent | b47b3e5ad2daf03e1e4f875713502f51ac8bd3cf (diff) | |
| download | pkgsrc-9c021b3da27ad57c38b84720971521a35ca6622a.tar.gz | |
Pullup ticket #4414 - requested by he
textproc/libxml2: security patch
Revisions pulled up:
- textproc/libxml2/Makefile 1.129
- textproc/libxml2/distinfo 1.103
- textproc/libxml2/patches/patch-parser.c 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sat May 10 22:45:42 UTC 2014
Modified Files:
pkgsrc/textproc/libxml2: Makefile distinfo
Added Files:
pkgsrc/textproc/libxml2/patches: patch-parser.c
Log Message:
add a patch for CVE-2014-0191 aka http://secunia.com/advisories/58018/
from https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
| -rw-r--r-- | textproc/libxml2/Makefile | 4 | ||||
| -rw-r--r-- | textproc/libxml2/distinfo | 3 | ||||
| -rw-r--r-- | textproc/libxml2/patches/patch-parser.c | 28 |
3 files changed, 32 insertions, 3 deletions
diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile index 3a006e2b6a6..bb2d7e7203a 100644 --- a/textproc/libxml2/Makefile +++ b/textproc/libxml2/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.128 2013/12/28 23:04:36 tron Exp $ +# $NetBSD: Makefile,v 1.128.4.1 2014/05/21 13:34:55 tron Exp $ DISTNAME= libxml2-2.9.1 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= textproc MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ http://xmlsoft.org/sources/ diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo index cdc7f5722dc..31f6315f144 100644 --- a/textproc/libxml2/distinfo +++ b/textproc/libxml2/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.102 2013/11/25 23:30:23 wiz Exp $ +$NetBSD: distinfo,v 1.102.4.1 2014/05/21 13:34:55 tron Exp $ SHA1 (libxml2-2.9.1.tar.gz) = eb3e2146c6d68aea5c2a4422ed76fe196f933c21 RMD160 (libxml2-2.9.1.tar.gz) = 257285d9ac070ed9f58666b7bd7c4653651c871b @@ -10,5 +10,6 @@ SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177 SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819 SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572 SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7 +SHA1 (patch-parser.c) = 06b448b1e627cbe5400524f5f980faa87b9ad4fe SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a SHA1 (patch-xzlib.c) = 1fa0b97f3fb52c40c4df3933f269b9b0bbadb0ff diff --git a/textproc/libxml2/patches/patch-parser.c b/textproc/libxml2/patches/patch-parser.c new file mode 100644 index 00000000000..fcd658c405a --- /dev/null +++ b/textproc/libxml2/patches/patch-parser.c @@ -0,0 +1,28 @@ +$NetBSD: patch-parser.c,v 1.1.2.2 2014/05/21 13:34:55 tron Exp $ + +Do not fetch external parameter entities (CVE-2014-0191) +https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df + +--- parser.c.orig 2013-04-16 13:39:18.000000000 +0000 ++++ parser.c +@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt + xmlCharEncoding enc; + + /* ++ * Note: external parsed entities will not be loaded, it is ++ * not required for a non-validating parser, unless the ++ * option of validating, or substituting entities were ++ * given. Doing so is far more secure as the parser will ++ * only process data coming from the document entity by ++ * default. ++ */ ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ (ctxt->validate == 0)) ++ return; ++ ++ /* + * handle the extra spaces added before and after + * c.f. http://www.w3.org/TR/REC-xml#as-PE + * this is done independently. |