Sat May 10 22:45:42 2014 UTC ()

add a patch for CVE-2014-0191 aka http://secunia.com/advisories/58018/
from https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df


(spz)

diff -r1.128 -r1.129 pkgsrc/textproc/libxml2/Makefile
diff -r1.102 -r1.103 pkgsrc/textproc/libxml2/distinfo
diff -r0 -r1.1 pkgsrc/textproc/libxml2/patches/patch-parser.c

--- pkgsrc/textproc/libxml2/Makefile 2013/12/28 23:04:36 1.128
+++ pkgsrc/textproc/libxml2/Makefile 2014/05/10 22:45:42 1.129

 @@ -1,17 +1,17 @@
-# $NetBSD: Makefile,v 1.128 2013/12/28 23:04:36 tron Exp $
+# $NetBSD: Makefile,v 1.129 2014/05/10 22:45:42 spz Exp $
 DISTNAME=	libxml2-2.9.1
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://xmlsoft.org/libxml2/ \
 		http://xmlsoft.org/sources/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://xmlsoft.org/
 COMMENT=	XML parser library from the GNOME project
 LICENSE=	modified-bsd
 PKG_INSTALLATION_TYPES=	overwrite pkgviews
 USE_FEATURES=		glob
 USE_LIBTOOL=		yes

--- pkgsrc/textproc/libxml2/distinfo 2013/11/25 23:30:23 1.102
+++ pkgsrc/textproc/libxml2/distinfo 2014/05/10 22:45:42 1.103

 @@ -1,14 +1,15 @@
-$NetBSD: distinfo,v 1.102 2013/11/25 23:30:23 wiz Exp $
+$NetBSD: distinfo,v 1.103 2014/05/10 22:45:42 spz Exp $
 SHA1 (libxml2-2.9.1.tar.gz) = eb3e2146c6d68aea5c2a4422ed76fe196f933c21
 RMD160 (libxml2-2.9.1.tar.gz) = 257285d9ac070ed9f58666b7bd7c4653651c871b
 Size (libxml2-2.9.1.tar.gz) = 5172503 bytes
 SHA1 (patch-aa) = 589a279df1a5fac8b1b2dbd0018a1bbf0c5ab169
 SHA1 (patch-ab) = 11567fe9a3fde42f3901fd4ab4620bf845fe634b
 SHA1 (patch-ac) = 101cd554fd22e8e9817e21591240eb784b1219b5
 SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177
 SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819
 SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572
 SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7
 SHA1 (patch-parser.c) = 06b448b1e627cbe5400524f5f980faa87b9ad4fe
 SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a
 SHA1 (patch-xzlib.c) = 1fa0b97f3fb52c40c4df3933f269b9b0bbadb0ff

$NetBSD: patch-parser.c,v 1.1 2014/05/10 22:45:42 spz Exp $

Do not fetch external parameter entities (CVE-2014-0191)
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df

--- parser.c.orig	2013-04-16 13:39:18.000000000 +0000
+++ parser.c
@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt
 		    xmlCharEncoding enc;
 
 		    /*
+		     * Note: external parsed entities will not be loaded, it is
+		     * not required for a non-validating parser, unless the
+		     * option of validating, or substituting entities were
+		     * given. Doing so is far more secure as the parser will
+		     * only process data coming from the document entity by
+		     * default.
+		     */
+		    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+		        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+		        ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+			(ctxt->validate == 0))
+			return;
+
+		    /*
 		     * handle the extra spaces added before and after
 		     * c.f. http://www.w3.org/TR/REC-xml#as-PE
 		     * this is done independently.