Wed Nov 30 14:46:22 2016 UTC ()

Patch CVE-2016-9318 https://bugzilla.gnome.org/show_bug.cgi?id=772726
Bump rev.


(sevan)

diff -r1.2 -r1.3 pkgsrc/textproc/libxml2/Makefile.common
diff -r1.112 -r1.113 pkgsrc/textproc/libxml2/distinfo
diff -r0 -r1.1 pkgsrc/textproc/libxml2/patches/patch-parseInternals.c

--- pkgsrc/textproc/libxml2/Makefile.common 2016/05/28 06:47:51 1.2
+++ pkgsrc/textproc/libxml2/Makefile.common 2016/11/30 14:46:22 1.3

 @@ -1,12 +1,13 @@
-# $NetBSD: Makefile.common,v 1.2 2016/05/28 06:47:51 wiz Exp $
+# $NetBSD: Makefile.common,v 1.3 2016/11/30 14:46:22 sevan Exp $
+#
 # used by textproc/libxml2/Makefile
 # used by textproc/py-libxml2/Makefile
 DISTNAME=	libxml2-2.9.4
 PKGREVISION=	1
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://xmlsoft.org/libxml2/ \
 		http://xmlsoft.org/sources/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://xmlsoft.org/

--- pkgsrc/textproc/libxml2/distinfo 2016/05/25 07:16:36 1.112
+++ pkgsrc/textproc/libxml2/distinfo 2016/11/30 14:46:22 1.113

 @@ -1,16 +1,17 @@
-$NetBSD: distinfo,v 1.112 2016/05/25 07:16:36 he Exp $
+$NetBSD: distinfo,v 1.113 2016/11/30 14:46:22 sevan Exp $
 SHA1 (libxml2-2.9.4.tar.gz) = 958ae70baf186263a4bd801a81dd5d682aedd1db
 RMD160 (libxml2-2.9.4.tar.gz) = bb59656e0683d64a38a2f1a45ca9d918837e1e56
 SHA512 (libxml2-2.9.4.tar.gz) = f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9
 Size (libxml2-2.9.4.tar.gz) = 5374830 bytes
 SHA1 (patch-aa) = e687eaa9805b855b0c8a944ec5c597bd34954472
 SHA1 (patch-ab) = d6d6e9a91307da0c7f334b5b9ad432878babd1ac
 SHA1 (patch-ac) = 34afe787f6012b460a85be993048e133907a1621
 SHA1 (patch-ad) = d65b7e3be9694147e96ce4bb70a1739e2279ba81
 SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2
 SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096
 SHA1 (patch-parseInternals.c) = dc58145943a4fb6368d848c0155d144b1f9b676c
 SHA1 (patch-runtest.c) = 759fcee959833b33d72e85108f7973859dcba1f6
 SHA1 (patch-testlimits.c) = 8cba18464b619469abbb8488fd950a32a567be7b
 SHA1 (patch-timsort.h) = e09118e7c99d53f71c28fe4d54269c4801244959
 SHA1 (patch-xmlIO.c) = 5efcc5e43a8b3139832ab69af6b5ab94e5a6ad59

$NetBSD: patch-parseInternals.c,v 1.1 2016/11/30 14:46:22 sevan Exp $

CVE-2016-9318 https://bugzilla.gnome.org/show_bug.cgi?id=772726

--- parserInternals.c.orig	2016-11-30 14:35:55.000000000 +0000
+++ parserInternals.c
@@ -1438,6 +1438,11 @@ xmlNewEntityInputStream(xmlParserCtxtPtr
                 break;
             case XML_EXTERNAL_GENERAL_PARSED_ENTITY:
             case XML_EXTERNAL_PARAMETER_ENTITY:
+		if (((ctxt->options & XML_PARSE_NOENT) == 0) &&
+		    ((ctxt->options & XML_PARSE_DTDVALID) == 0)) {
+		    xmlErrInternal(ctxt, "xmlNewEntityInputStream will not read content for external entity\n",
+				    NULL);
+		}
 		return(xmlLoadExternalEntity((char *) entity->URI,
 		       (char *) entity->ExternalID, ctxt));
             case XML_INTERNAL_GENERAL_ENTITY: