add a patch for CVE-2014-0191 aka http://secunia.com/advisories/58018/ from https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854dfdiff -r1.128 -r1.129 pkgsrc/textproc/libxml2/Makefile
(spz)
@@ -1,17 +1,17 @@ | @@ -1,17 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.128 2013/12/28 23:04:36 tron Exp $ | 1 | # $NetBSD: Makefile,v 1.129 2014/05/10 22:45:42 spz Exp $ | |
2 | 2 | |||
3 | DISTNAME= libxml2-2.9.1 | 3 | DISTNAME= libxml2-2.9.1 | |
4 | PKGREVISION= 1 | 4 | PKGREVISION= 2 | |
5 | CATEGORIES= textproc | 5 | CATEGORIES= textproc | |
6 | MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ | 6 | MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ | |
7 | http://xmlsoft.org/sources/ | 7 | http://xmlsoft.org/sources/ | |
8 | 8 | |||
9 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
10 | HOMEPAGE= http://xmlsoft.org/ | 10 | HOMEPAGE= http://xmlsoft.org/ | |
11 | COMMENT= XML parser library from the GNOME project | 11 | COMMENT= XML parser library from the GNOME project | |
12 | LICENSE= modified-bsd | 12 | LICENSE= modified-bsd | |
13 | 13 | |||
14 | PKG_INSTALLATION_TYPES= overwrite pkgviews | 14 | PKG_INSTALLATION_TYPES= overwrite pkgviews | |
15 | 15 | |||
16 | USE_FEATURES= glob | 16 | USE_FEATURES= glob | |
17 | USE_LIBTOOL= yes | 17 | USE_LIBTOOL= yes |
@@ -1,14 +1,15 @@ | @@ -1,14 +1,15 @@ | |||
1 | $NetBSD: distinfo,v 1.102 2013/11/25 23:30:23 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.103 2014/05/10 22:45:42 spz Exp $ | |
2 | 2 | |||
3 | SHA1 (libxml2-2.9.1.tar.gz) = eb3e2146c6d68aea5c2a4422ed76fe196f933c21 | 3 | SHA1 (libxml2-2.9.1.tar.gz) = eb3e2146c6d68aea5c2a4422ed76fe196f933c21 | |
4 | RMD160 (libxml2-2.9.1.tar.gz) = 257285d9ac070ed9f58666b7bd7c4653651c871b | 4 | RMD160 (libxml2-2.9.1.tar.gz) = 257285d9ac070ed9f58666b7bd7c4653651c871b | |
5 | Size (libxml2-2.9.1.tar.gz) = 5172503 bytes | 5 | Size (libxml2-2.9.1.tar.gz) = 5172503 bytes | |
6 | SHA1 (patch-aa) = 589a279df1a5fac8b1b2dbd0018a1bbf0c5ab169 | 6 | SHA1 (patch-aa) = 589a279df1a5fac8b1b2dbd0018a1bbf0c5ab169 | |
7 | SHA1 (patch-ab) = 11567fe9a3fde42f3901fd4ab4620bf845fe634b | 7 | SHA1 (patch-ab) = 11567fe9a3fde42f3901fd4ab4620bf845fe634b | |
8 | SHA1 (patch-ac) = 101cd554fd22e8e9817e21591240eb784b1219b5 | 8 | SHA1 (patch-ac) = 101cd554fd22e8e9817e21591240eb784b1219b5 | |
9 | SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177 | 9 | SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177 | |
10 | SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819 | 10 | SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819 | |
11 | SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572 | 11 | SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572 | |
12 | SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7 | 12 | SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7 | |
13 | SHA1 (patch-parser.c) = 06b448b1e627cbe5400524f5f980faa87b9ad4fe | |||
13 | SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a | 14 | SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a | |
14 | SHA1 (patch-xzlib.c) = 1fa0b97f3fb52c40c4df3933f269b9b0bbadb0ff | 15 | SHA1 (patch-xzlib.c) = 1fa0b97f3fb52c40c4df3933f269b9b0bbadb0ff |
$NetBSD: patch-parser.c,v 1.1 2014/05/10 22:45:42 spz Exp $
Do not fetch external parameter entities (CVE-2014-0191)
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
--- parser.c.orig 2013-04-16 13:39:18.000000000 +0000
+++ parser.c
@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt
xmlCharEncoding enc;
/*
+ * Note: external parsed entities will not be loaded, it is
+ * not required for a non-validating parser, unless the
+ * option of validating, or substituting entities were
+ * given. Doing so is far more secure as the parser will
+ * only process data coming from the document entity by
+ * default.
+ */
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+ (ctxt->validate == 0))
+ return;
+
+ /*
* handle the extra spaces added before and after
* c.f. http://www.w3.org/TR/REC-xml#as-PE
* this is done independently.