CVS commit: pkgsrc/www/tidy

["Leonardo Taccari" <leot%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   leot
Date:           Sat Oct 13 11:14:39 UTC 2018

Modified Files:
        pkgsrc/www/tidy: Makefile distinfo
Added Files:
        pkgsrc/www/tidy/patches: patch-src_clean.c

Log Message:
tidy: Backport a patch from upstream to address CVE-2017-17497

Bump PKGREVISION


To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 pkgsrc/www/tidy/Makefile
cvs rdiff -u -r1.24 -r1.25 pkgsrc/www/tidy/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/www/tidy/patches/patch-src_clean.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/tidy/Makefile
diff -u pkgsrc/www/tidy/Makefile:1.53 pkgsrc/www/tidy/Makefile:1.54
--- pkgsrc/www/tidy/Makefile:1.53       Mon Nov 27 13:01:37 2017
+++ pkgsrc/www/tidy/Makefile    Sat Oct 13 11:14:38 2018
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.53 2017/11/27 13:01:37 adam Exp $
+# $NetBSD: Makefile,v 1.54 2018/10/13 11:14:38 leot Exp $
 
 DISTNAME=      tidy-html5-5.6.0
 PKGNAME=       ${DISTNAME:S/-html5//}
+PKGREVISION=   1
 CATEGORIES=    www textproc
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=htacg/}
 

Index: pkgsrc/www/tidy/distinfo
diff -u pkgsrc/www/tidy/distinfo:1.24 pkgsrc/www/tidy/distinfo:1.25
--- pkgsrc/www/tidy/distinfo:1.24       Mon Nov 27 13:01:37 2017
+++ pkgsrc/www/tidy/distinfo    Sat Oct 13 11:14:38 2018
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.24 2017/11/27 13:01:37 adam Exp $
+$NetBSD: distinfo,v 1.25 2018/10/13 11:14:38 leot Exp $
 
 SHA1 (tidy-html5-5.6.0.tar.gz) = bd6812f3493095c4ca42be11fe3884d1da11c361
 RMD160 (tidy-html5-5.6.0.tar.gz) = 54ffd0e53240ca7e2e619fb527bd1db7cb68e66f
 SHA512 (tidy-html5-5.6.0.tar.gz) = 179088a6dbd29bb0e4f0219222f755b186145495f7414f6d0e178803ab67140391283d35352d946f9790c6b1b5b462ee6e24f1cc84f19391cb9b65e73979ffd1
 Size (tidy-html5-5.6.0.tar.gz) = 665438 bytes
+SHA1 (patch-src_clean.c) = a846b09ef29b747f71e92669397e55a1e1b3bc8d

Added files:

Index: pkgsrc/www/tidy/patches/patch-src_clean.c
diff -u /dev/null pkgsrc/www/tidy/patches/patch-src_clean.c:1.1
--- /dev/null   Sat Oct 13 11:14:39 2018
+++ pkgsrc/www/tidy/patches/patch-src_clean.c   Sat Oct 13 11:14:38 2018
@@ -0,0 +1,23 @@
+$NetBSD: patch-src_clean.c,v 1.1 2018/10/13 11:14:38 leot Exp $
+
+Backport patch from upstream for CVE-2017-17497, via uptsream commit:
+
+ <https://github.com/htacg/tidy-html5/commit/a111d7a9691953f903ffa1fdbc3762dec22fc215>
+
+Issue #656 - protect against NULL node set in loop
+
+--- src/clean.c.orig   2017-11-25 13:54:41.000000000 +0000
++++ src/clean.c
+@@ -2211,8 +2211,10 @@ Bool TY_(TidyMetaCharset)(TidyDocImpl* d
+     tidyBufAppend(&charsetString, "charset=", 8);
+     tidyBufAppend(&charsetString, (char*)enc, TY_(tmbstrlen)(enc));
+     tidyBufAppend(&charsetString, "\0", 1); /* zero terminate the buffer */
+-                                            /* process the children of the head */
+-    for (currentNode = head->content; currentNode; currentNode = currentNode->next)
++    /* process the children of the head */
++    /* Issue #656 - guard against 'currentNode' being set NULL in loop */
++    for (currentNode = head->content; currentNode; 
++        currentNode = (currentNode ? currentNode->next : NULL))
+     {
+         if (!nodeIsMETA(currentNode))
+             continue;   /* not a meta node */