[pkgsrc/trunk]: pkgsrc/textproc/libxml2 add a patch for CVE-2014-0191 aka htt...

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/0ada1ef1370f
branches:  trunk
changeset: 634187:0ada1ef1370f
user:      spz <spz%pkgsrc.org@localhost>
date:      Sat May 10 22:45:42 2014 +0000

description:
add a patch for CVE-2014-0191 aka http://secunia.com/advisories/58018/
from https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df

diffstat:

 textproc/libxml2/Makefile               |   4 ++--
 textproc/libxml2/distinfo               |   3 ++-
 textproc/libxml2/patches/patch-parser.c |  28 ++++++++++++++++++++++++++++
 3 files changed, 32 insertions(+), 3 deletions(-)

diffs (61 lines):

diff -r 157211b773bf -r 0ada1ef1370f textproc/libxml2/Makefile
--- a/textproc/libxml2/Makefile Sat May 10 22:41:02 2014 +0000
+++ b/textproc/libxml2/Makefile Sat May 10 22:45:42 2014 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.128 2013/12/28 23:04:36 tron Exp $
+# $NetBSD: Makefile,v 1.129 2014/05/10 22:45:42 spz Exp $
 
 DISTNAME=      libxml2-2.9.1
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    textproc
 MASTER_SITES=  ftp://xmlsoft.org/libxml2/ \
                http://xmlsoft.org/sources/
diff -r 157211b773bf -r 0ada1ef1370f textproc/libxml2/distinfo
--- a/textproc/libxml2/distinfo Sat May 10 22:41:02 2014 +0000
+++ b/textproc/libxml2/distinfo Sat May 10 22:45:42 2014 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.102 2013/11/25 23:30:23 wiz Exp $
+$NetBSD: distinfo,v 1.103 2014/05/10 22:45:42 spz Exp $
 
 SHA1 (libxml2-2.9.1.tar.gz) = eb3e2146c6d68aea5c2a4422ed76fe196f933c21
 RMD160 (libxml2-2.9.1.tar.gz) = 257285d9ac070ed9f58666b7bd7c4653651c871b
@@ -10,5 +10,6 @@
 SHA1 (patch-ae) = 2823276343f65c7d244d22e548faa6a517445819
 SHA1 (patch-ag) = 19afd69713298ecbd247ba733a7c0c13464ae572
 SHA1 (patch-aj) = 988c30b4b09a1cbaf9e7db02bb8981da0f1beaa7
+SHA1 (patch-parser.c) = 06b448b1e627cbe5400524f5f980faa87b9ad4fe
 SHA1 (patch-threads.c) = 70bb0a779dff6611f755128d609f82360a492f9a
 SHA1 (patch-xzlib.c) = 1fa0b97f3fb52c40c4df3933f269b9b0bbadb0ff
diff -r 157211b773bf -r 0ada1ef1370f textproc/libxml2/patches/patch-parser.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/libxml2/patches/patch-parser.c   Sat May 10 22:45:42 2014 +0000
@@ -0,0 +1,28 @@
+$NetBSD: patch-parser.c,v 1.1 2014/05/10 22:45:42 spz Exp $
+
+Do not fetch external parameter entities (CVE-2014-0191)
+https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
+
+--- parser.c.orig      2013-04-16 13:39:18.000000000 +0000
++++ parser.c
+@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt
+                   xmlCharEncoding enc;
+ 
+                   /*
++                   * Note: external parsed entities will not be loaded, it is
++                   * not required for a non-validating parser, unless the
++                   * option of validating, or substituting entities were
++                   * given. Doing so is far more secure as the parser will
++                   * only process data coming from the document entity by
++                   * default.
++                   */
++                  if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
++                      ((ctxt->options & XML_PARSE_NOENT) == 0) &&
++                      ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
++                      (ctxt->validate == 0))
++                      return;
++
++                  /*
+                    * handle the extra spaces added before and after
+                    * c.f. http://www.w3.org/TR/REC-xml#as-PE
+                    * this is done independently.