---
- branch: MAIN
  date: Wed Jun 21 00:23:24 UTC 2017
  files:
  - new: '1.145'
    old: '1.144'
    path: pkgsrc/textproc/libxml2/Makefile
    pathrev: pkgsrc/textproc/libxml2/Makefile@1.145
    type: modified
  - new: '1.116'
    old: '1.115'
    path: pkgsrc/textproc/libxml2/distinfo
    pathrev: pkgsrc/textproc/libxml2/distinfo@1.116
    type: modified
  - new: '1.3'
    old: '0'
    path: pkgsrc/textproc/libxml2/patches/patch-parser.c
    pathrev: pkgsrc/textproc/libxml2/patches/patch-parser.c@1.3
    type: added
  - new: '1.2'
    old: '1.1'
    path: pkgsrc/textproc/libxml2/patches/patch-valid.c
    pathrev: pkgsrc/textproc/libxml2/patches/patch-valid.c@1.2
    type: modified
  id: 20170621T002324Z.f3f90da072dee8947237f9eba9de5b8aee4c427c
  log: "xmlSnprintfElementContent failed to correctly check the available\nbuffer
    space in two locations.\nFixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).\nFrom:
    https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74\n\nThere
    were two bugs where parameter-entity references could lead to an\nunexpected change
    of the input buffer in xmlParseNameComplex and\nxmlDictLookup being called with
    an invalid pointer.\n\nPercent sign in DTD Names\n=========================\nThis
    fixes bug 766956 initially reported by Wei Lei and independently by\nChromium's
    ClusterFuzz, Hanno Bæ\x97¦ck, and Marco Grassi. Thanks to everyone\ninvolved.\n\nxmlParseNameComplex
    with XML_PARSE_OLD10\n========================================\nThis fixes bugs
    781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).\nThanks to Marcel Bæ\x97¦hme
    and Thuan Pham for the report.\n\nAdditional hardening\n====================\nA
    separate check was added in xmlParseNameComplex to validate the\nbuffer size.\n\nFrom:
    https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/textproc/libxml2'
  unixtime: '1498004604'
  user: tez