add a patch for CVE-2014-0191 aka http://secunia.com/advisories/58018/

from https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df

3 files changed, 32 insertions, 3 deletions

diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index 3a006e2b6a6..bb26e9dd4e1 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.128 2013/12/28 23:04:36 tron Exp $
+# $NetBSD: Makefile,v 1.129 2014/05/10 22:45:42 spz Exp $
 
 DISTNAME=	libxml2-2.9.1
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://xmlsoft.org/libxml2/ \
 		http://xmlsoft.org/sources/
diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo
index cdc7f5722dc..418c6eea7a3 100644
--- a/textproc/libxml2/distinfo
+++ b/textproc/libxml2/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.102 2013/11/25 23:30:23 wiz Exp $
+$NetBSD: distinfo,v 1.103 2014/05/10 22:45:42 spz Exp $
 
 SHA1 (libxml2-2.9.1.tar.gz) = eb3e2146c6d68aea5c2a4422ed76fe196f933c21
 RMD160 (libxml2-2.9.1.tar.gz) = 257285d9ac070ed9f58666b7bd7c4653651c871b
@@ -10,5 +10,6 @@ SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177
 SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819
 SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572
 SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7
+SHA1 (patch-parser.c) = 06b448b1e627cbe5400524f5f980faa87b9ad4fe
 SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a
 SHA1 (patch-xzlib.c) = 1fa0b97f3fb52c40c4df3933f269b9b0bbadb0ff
diff --git a/textproc/libxml2/patches/patch-parser.c b/textproc/libxml2/patches/patch-parser.c
new file mode 100644
index 00000000000..27171cb344f
--- /dev/null
+++ b/textproc/libxml2/patches/patch-parser.c
@@ -0,0 +1,28 @@
+$NetBSD: patch-parser.c,v 1.1 2014/05/10 22:45:42 spz Exp $
+
+Do not fetch external parameter entities (CVE-2014-0191)
+https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
+
+--- parser.c.orig	2013-04-16 13:39:18.000000000 +0000
++++ parser.c
+@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt
+ 		    xmlCharEncoding enc;
+ 
+ 		    /*
++		     * Note: external parsed entities will not be loaded, it is
++		     * not required for a non-validating parser, unless the
++		     * option of validating, or substituting entities were
++		     * given. Doing so is far more secure as the parser will
++		     * only process data coming from the document entity by
++		     * default.
++		     */
++		    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
++		        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
++		        ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
++			(ctxt->validate == 0))
++			return;
++
++		    /*
+ 		     * handle the extra spaces added before and after
+ 		     * c.f. http://www.w3.org/TR/REC-xml#as-PE
+ 		     * this is done independently.