From b810506bb839cd0e729717a4da6e366c6ee9f74d Mon Sep 17 00:00:00 2001 From: drochner Date: Fri, 17 Oct 2014 15:46:47 +0000 Subject: update to 2.9.2 -security fixes: -Fix for CVE-2014-3660 billion laugh variant -CVE-2014-0191 Do not fetch external parameter entities (was patched in pkgsrc) -many bugfixes, doc fixes, cleanup -added cmake macro --- textproc/libxml2/Makefile | 5 ++- textproc/libxml2/PLIST | 3 +- textproc/libxml2/distinfo | 10 +++--- textproc/libxml2/patches/patch-parser.c | 28 ----------------- textproc/libxml2/patches/patch-xzlib.c | 54 --------------------------------- 5 files changed, 8 insertions(+), 92 deletions(-) delete mode 100644 textproc/libxml2/patches/patch-parser.c delete mode 100644 textproc/libxml2/patches/patch-xzlib.c (limited to 'textproc/libxml2') diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile index 7712793981f..7ca32ecea12 100644 --- a/textproc/libxml2/Makefile +++ b/textproc/libxml2/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.131 2014/10/09 14:07:02 wiz Exp $ +# $NetBSD: Makefile,v 1.132 2014/10/17 15:46:47 drochner Exp $ -DISTNAME= libxml2-2.9.1 -PKGREVISION= 2 +DISTNAME= libxml2-2.9.2 CATEGORIES= textproc MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ http://xmlsoft.org/sources/ diff --git a/textproc/libxml2/PLIST b/textproc/libxml2/PLIST index 593be8e00f1..fe41da1c0e4 100644 --- a/textproc/libxml2/PLIST +++ b/textproc/libxml2/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.44 2013/05/26 09:22:14 adam Exp $ +@comment $NetBSD: PLIST,v 1.45 2014/10/17 15:46:47 drochner Exp $ bin/xml2-config bin/xmlcatalog bin/xmllint @@ -49,6 +49,7 @@ include/libxml2/libxml/xmlwriter.h include/libxml2/libxml/xpath.h include/libxml2/libxml/xpathInternals.h include/libxml2/libxml/xpointer.h +lib/cmake/libxml2/libxml2-config.cmake lib/libxml2.la lib/pkgconfig/libxml-2.0.pc lib/xml2Conf.sh diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo index 418c6eea7a3..be4bb51597e 100644 --- a/textproc/libxml2/distinfo +++ b/textproc/libxml2/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.103 2014/05/10 22:45:42 spz Exp $ +$NetBSD: distinfo,v 1.104 2014/10/17 15:46:47 drochner Exp $ -SHA1 (libxml2-2.9.1.tar.gz) = eb3e2146c6d68aea5c2a4422ed76fe196f933c21 -RMD160 (libxml2-2.9.1.tar.gz) = 257285d9ac070ed9f58666b7bd7c4653651c871b -Size (libxml2-2.9.1.tar.gz) = 5172503 bytes +SHA1 (libxml2-2.9.2.tar.gz) = f46a37ea6d869f702e03f393c376760f3cbee673 +RMD160 (libxml2-2.9.2.tar.gz) = 969b4ed8782f455fd4a6ca1c1b4ffa7651090070 +Size (libxml2-2.9.2.tar.gz) = 5444991 bytes SHA1 (patch-aa) = 589a279df1a5fac8b1b2dbd0018a1bbf0c5ab169 SHA1 (patch-ab) = 11567fe9a3fde42f3901fd4ab4620bf845fe634b SHA1 (patch-ac) = 101cd554fd22e8e9817e21591240eb784b1219b5 @@ -10,6 +10,4 @@ SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177 SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819 SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572 SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7 -SHA1 (patch-parser.c) = 06b448b1e627cbe5400524f5f980faa87b9ad4fe SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a -SHA1 (patch-xzlib.c) = 1fa0b97f3fb52c40c4df3933f269b9b0bbadb0ff diff --git a/textproc/libxml2/patches/patch-parser.c b/textproc/libxml2/patches/patch-parser.c deleted file mode 100644 index 27171cb344f..00000000000 --- a/textproc/libxml2/patches/patch-parser.c +++ /dev/null @@ -1,28 +0,0 @@ -$NetBSD: patch-parser.c,v 1.1 2014/05/10 22:45:42 spz Exp $ - -Do not fetch external parameter entities (CVE-2014-0191) -https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df - ---- parser.c.orig 2013-04-16 13:39:18.000000000 +0000 -+++ parser.c -@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt - xmlCharEncoding enc; - - /* -+ * Note: external parsed entities will not be loaded, it is -+ * not required for a non-validating parser, unless the -+ * option of validating, or substituting entities were -+ * given. Doing so is far more secure as the parser will -+ * only process data coming from the document entity by -+ * default. -+ */ -+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && -+ ((ctxt->options & XML_PARSE_NOENT) == 0) && -+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && -+ (ctxt->validate == 0)) -+ return; -+ -+ /* - * handle the extra spaces added before and after - * c.f. http://www.w3.org/TR/REC-xml#as-PE - * this is done independently. diff --git a/textproc/libxml2/patches/patch-xzlib.c b/textproc/libxml2/patches/patch-xzlib.c deleted file mode 100644 index 3fe047ec935..00000000000 --- a/textproc/libxml2/patches/patch-xzlib.c +++ /dev/null @@ -1,54 +0,0 @@ -$NetBSD: patch-xzlib.c,v 1.1 2013/11/25 23:30:23 wiz Exp $ - -Fix bug in gzip decompression. -https://bugzilla.gnome.org/show_bug.cgi?id=712528 - ---- xzlib.c.orig 2013-02-27 05:08:52.000000000 +0000 -+++ xzlib.c -@@ -245,6 +245,20 @@ xz_avail(xz_statep state) - return 0; - } - -+#ifdef HAVE_ZLIB_H -+static int -+xz_avail_zstrm(xz_statep state) -+{ -+ int ret; -+ state->strm.avail_in = state->zstrm.avail_in; -+ state->strm.next_in = state->zstrm.next_in; -+ ret = xz_avail(state); -+ state->zstrm.avail_in = (uInt) state->strm.avail_in; -+ state->zstrm.next_in = (Bytef *) state->strm.next_in; -+ return ret; -+} -+#endif -+ - static int - is_format_xz(xz_statep state) - { -@@ -314,6 +328,10 @@ is_format_lzma(xz_statep state) - #define NEXT() ((strm->avail_in == 0 && xz_avail(state) == -1) ? -1 : \ - (strm->avail_in == 0 ? -1 : \ - (strm->avail_in--, *(strm->next_in)++))) -+/* Same thing, but from zstrm */ -+#define NEXTZ() ((strm->avail_in == 0 && xz_avail_zstrm(state) == -1) ? -1 : \ -+ (strm->avail_in == 0 ? -1 : \ -+ (strm->avail_in--, *(strm->next_in)++))) - - /* Get a four-byte little-endian integer and return 0 on success and the value - in *ret. Otherwise -1 is returned and *ret is not modified. */ -@@ -324,10 +342,10 @@ gz_next4(xz_statep state, unsigned long - unsigned long val; - z_streamp strm = &(state->zstrm); - -- val = NEXT(); -- val += (unsigned) NEXT() << 8; -- val += (unsigned long) NEXT() << 16; -- ch = NEXT(); -+ val = NEXTZ(); -+ val += (unsigned) NEXTZ() << 8; -+ val += (unsigned long) NEXTZ() << 16; -+ ch = NEXTZ(); - if (ch == -1) - return -1; - val += (unsigned long) ch << 24; -- cgit v1.2.3