diff options
author | tron <tron@pkgsrc.org> | 2014-05-21 13:34:55 +0000 |
---|---|---|
committer | tron <tron@pkgsrc.org> | 2014-05-21 13:34:55 +0000 |
commit | 9c021b3da27ad57c38b84720971521a35ca6622a (patch) | |
tree | 5db0112825c6319ed34c1fe69591707cb7793fec /textproc/libxml2/patches/patch-parser.c | |
parent | b47b3e5ad2daf03e1e4f875713502f51ac8bd3cf (diff) | |
download | pkgsrc-9c021b3da27ad57c38b84720971521a35ca6622a.tar.gz |
Pullup ticket #4414 - requested by he
textproc/libxml2: security patch
Revisions pulled up:
- textproc/libxml2/Makefile 1.129
- textproc/libxml2/distinfo 1.103
- textproc/libxml2/patches/patch-parser.c 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sat May 10 22:45:42 UTC 2014
Modified Files:
pkgsrc/textproc/libxml2: Makefile distinfo
Added Files:
pkgsrc/textproc/libxml2/patches: patch-parser.c
Log Message:
add a patch for CVE-2014-0191 aka http://secunia.com/advisories/58018/
from https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
Diffstat (limited to 'textproc/libxml2/patches/patch-parser.c')
-rw-r--r-- | textproc/libxml2/patches/patch-parser.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/textproc/libxml2/patches/patch-parser.c b/textproc/libxml2/patches/patch-parser.c new file mode 100644 index 00000000000..fcd658c405a --- /dev/null +++ b/textproc/libxml2/patches/patch-parser.c @@ -0,0 +1,28 @@ +$NetBSD: patch-parser.c,v 1.1.2.2 2014/05/21 13:34:55 tron Exp $ + +Do not fetch external parameter entities (CVE-2014-0191) +https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df + +--- parser.c.orig 2013-04-16 13:39:18.000000000 +0000 ++++ parser.c +@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt + xmlCharEncoding enc; + + /* ++ * Note: external parsed entities will not be loaded, it is ++ * not required for a non-validating parser, unless the ++ * option of validating, or substituting entities were ++ * given. Doing so is far more secure as the parser will ++ * only process data coming from the document entity by ++ * default. ++ */ ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ (ctxt->validate == 0)) ++ return; ++ ++ /* + * handle the extra spaces added before and after + * c.f. http://www.w3.org/TR/REC-xml#as-PE + * this is done independently. |