add a patch for CVE-2014-0191 aka http://secunia.com/advisories/58018/ from https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854dfdiff -r1.128 -r1.129 pkgsrc/textproc/libxml2/Makefile
(spz)
@@ -1,53 +1,53 @@ | @@ -1,53 +1,53 @@ | |||
1 | # $NetBSD: Makefile,v 1.128 2013/12/28 23:04:36 tron Exp $ | 1 | # $NetBSD: Makefile,v 1.129 2014/05/10 22:45:42 spz Exp $ | |
2 | 2 | |||
3 | DISTNAME= libxml2-2.9.1 | 3 | DISTNAME= libxml2-2.9.1 | |
4 | PKGREVISION= 1 | 4 | PKGREVISION= 2 | |
5 | CATEGORIES= textproc | 5 | CATEGORIES= textproc | |
6 | MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ | 6 | MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ | |
7 | http://xmlsoft.org/sources/ | 7 | http://xmlsoft.org/sources/ | |
8 | 8 | |||
9 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
10 | HOMEPAGE= http://xmlsoft.org/ | 10 | HOMEPAGE= http://xmlsoft.org/ | |
11 | COMMENT= XML parser library from the GNOME project | 11 | COMMENT= XML parser library from the GNOME project | |
12 | LICENSE= modified-bsd | 12 | LICENSE= modified-bsd | |
13 | 13 | |||
14 | PKG_INSTALLATION_TYPES= overwrite pkgviews | 14 | PKG_INSTALLATION_TYPES= overwrite pkgviews | |
15 | 15 | |||
16 | USE_FEATURES= glob | 16 | USE_FEATURES= glob | |
17 | USE_LIBTOOL= yes | 17 | USE_LIBTOOL= yes | |
18 | USE_TOOLS+= gmake | 18 | USE_TOOLS+= gmake | |
19 | GNU_CONFIGURE= yes | 19 | GNU_CONFIGURE= yes | |
20 | CONFIGURE_ARGS+= --with-html-subdir=libxml2 | 20 | CONFIGURE_ARGS+= --with-html-subdir=libxml2 | |
21 | CONFIGURE_ARGS+= --with-iconv=${BUILDLINK_PREFIX.iconv} | 21 | CONFIGURE_ARGS+= --with-iconv=${BUILDLINK_PREFIX.iconv} | |
22 | CONFIGURE_ARGS+= --without-python | 22 | CONFIGURE_ARGS+= --without-python | |
23 | 23 | |||
24 | PKGCONFIG_OVERRIDE= libxml-2.0.pc.in | 24 | PKGCONFIG_OVERRIDE= libxml-2.0.pc.in | |
25 | 25 | |||
26 | .include "options.mk" | 26 | .include "options.mk" | |
27 | 27 | |||
28 | # allow thread-awareness, but make sure the library is not | 28 | # allow thread-awareness, but make sure the library is not | |
29 | # linked against libpthread | 29 | # linked against libpthread | |
30 | #CONFIGURE_ARGS+= --without-threads | 30 | #CONFIGURE_ARGS+= --without-threads | |
31 | 31 | |||
32 | MAKE_ENV+= PAX=${PAX:Q} | 32 | MAKE_ENV+= PAX=${PAX:Q} | |
33 | 33 | |||
34 | .include "../../mk/bsd.prefs.mk" | 34 | .include "../../mk/bsd.prefs.mk" | |
35 | 35 | |||
36 | TEST_TARGET= check | 36 | TEST_TARGET= check | |
37 | 37 | |||
38 | SUBST_CLASSES+= cat | 38 | SUBST_CLASSES+= cat | |
39 | SUBST_STAGE.cat= pre-configure | 39 | SUBST_STAGE.cat= pre-configure | |
40 | SUBST_FILES.cat= catalog.c xmlcatalog.c | 40 | SUBST_FILES.cat= catalog.c xmlcatalog.c | |
41 | SUBST_SED.cat= -e "s,@@SGML_DEFAULT_CATALOG@@,${SGML_DEFAULT_CATALOG},g" | 41 | SUBST_SED.cat= -e "s,@@SGML_DEFAULT_CATALOG@@,${SGML_DEFAULT_CATALOG},g" | |
42 | SUBST_SED.cat+= -e "s,@@XML_DEFAULT_CATALOG@@,${XML_DEFAULT_CATALOG},g" | 42 | SUBST_SED.cat+= -e "s,@@XML_DEFAULT_CATALOG@@,${XML_DEFAULT_CATALOG},g" | |
43 | 43 | |||
44 | .if ${OPSYS} == "SunOS" | 44 | .if ${OPSYS} == "SunOS" | |
45 | BUILDLINK_TRANSFORM+= rm:-Werror=format=2 | 45 | BUILDLINK_TRANSFORM+= rm:-Werror=format=2 | |
46 | .endif | 46 | .endif | |
47 | 47 | |||
48 | .include "../../archivers/xz/buildlink3.mk" | 48 | .include "../../archivers/xz/buildlink3.mk" | |
49 | .include "../../converters/libiconv/buildlink3.mk" | 49 | .include "../../converters/libiconv/buildlink3.mk" | |
50 | .include "../../devel/zlib/buildlink3.mk" | 50 | .include "../../devel/zlib/buildlink3.mk" | |
51 | .include "../../textproc/xmlcatmgr/catalogs.mk" | 51 | .include "../../textproc/xmlcatmgr/catalogs.mk" | |
52 | .include "../../mk/pthread.buildlink3.mk" | 52 | .include "../../mk/pthread.buildlink3.mk" | |
53 | .include "../../mk/bsd.pkg.mk" | 53 | .include "../../mk/bsd.pkg.mk" |
@@ -1,14 +1,15 @@ | @@ -1,14 +1,15 @@ | |||
1 | $NetBSD: distinfo,v 1.102 2013/11/25 23:30:23 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.103 2014/05/10 22:45:42 spz Exp $ | |
2 | 2 | |||
3 | SHA1 (libxml2-2.9.1.tar.gz) = eb3e2146c6d68aea5c2a4422ed76fe196f933c21 | 3 | SHA1 (libxml2-2.9.1.tar.gz) = eb3e2146c6d68aea5c2a4422ed76fe196f933c21 | |
4 | RMD160 (libxml2-2.9.1.tar.gz) = 257285d9ac070ed9f58666b7bd7c4653651c871b | 4 | RMD160 (libxml2-2.9.1.tar.gz) = 257285d9ac070ed9f58666b7bd7c4653651c871b | |
5 | Size (libxml2-2.9.1.tar.gz) = 5172503 bytes | 5 | Size (libxml2-2.9.1.tar.gz) = 5172503 bytes | |
6 | SHA1 (patch-aa) = 589a279df1a5fac8b1b2dbd0018a1bbf0c5ab169 | 6 | SHA1 (patch-aa) = 589a279df1a5fac8b1b2dbd0018a1bbf0c5ab169 | |
7 | SHA1 (patch-ab) = 11567fe9a3fde42f3901fd4ab4620bf845fe634b | 7 | SHA1 (patch-ab) = 11567fe9a3fde42f3901fd4ab4620bf845fe634b | |
8 | SHA1 (patch-ac) = 101cd554fd22e8e9817e21591240eb784b1219b5 | 8 | SHA1 (patch-ac) = 101cd554fd22e8e9817e21591240eb784b1219b5 | |
9 | SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177 | 9 | SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177 | |
10 | SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819 | 10 | SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819 | |
11 | SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572 | 11 | SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572 | |
12 | SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7 | 12 | SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7 | |
13 | SHA1 (patch-parser.c) = 06b448b1e627cbe5400524f5f980faa87b9ad4fe | |||
13 | SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a | 14 | SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a | |
14 | SHA1 (patch-xzlib.c) = 1fa0b97f3fb52c40c4df3933f269b9b0bbadb0ff | 15 | SHA1 (patch-xzlib.c) = 1fa0b97f3fb52c40c4df3933f269b9b0bbadb0ff |
$NetBSD: patch-parser.c,v 1.1 2014/05/10 22:45:42 spz Exp $
Do not fetch external parameter entities (CVE-2014-0191)
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
--- parser.c.orig 2013-04-16 13:39:18.000000000 +0000
+++ parser.c
@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt
xmlCharEncoding enc;
/*
+ * Note: external parsed entities will not be loaded, it is
+ * not required for a non-validating parser, unless the
+ * option of validating, or substituting entities were
+ * given. Doing so is far more secure as the parser will
+ * only process data coming from the document entity by
+ * default.
+ */
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+ (ctxt->validate == 0))
+ return;
+
+ /*
* handle the extra spaces added before and after
* c.f. http://www.w3.org/TR/REC-xml#as-PE
* this is done independently.