CVS commit: pkgsrc/textproc/libxml2

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/textproc/libxml2
From: "Leonardo Taccari" <leot%netbsd.org@localhost>
Date: Sat, 13 Oct 2018 09:05:42 +0000

Module Name:    pkgsrc
Committed By:   leot
Date:           Sat Oct 13 09:05:42 UTC 2018

Modified Files:
        pkgsrc/textproc/libxml2: Makefile distinfo
        pkgsrc/textproc/libxml2/patches: patch-xzlib.c

Log Message:
libxml2: Backport upstream patch for CVE-2018-9251 and CVE-2018-14567


To generate a diff of this commit:
cvs rdiff -u -r1.149 -r1.150 pkgsrc/textproc/libxml2/Makefile
cvs rdiff -u -r1.126 -r1.127 pkgsrc/textproc/libxml2/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/textproc/libxml2/patches/patch-xzlib.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/libxml2/Makefile
diff -u pkgsrc/textproc/libxml2/Makefile:1.149 pkgsrc/textproc/libxml2/Makefile:1.150
--- pkgsrc/textproc/libxml2/Makefile:1.149      Thu Aug  9 18:44:13 2018
+++ pkgsrc/textproc/libxml2/Makefile    Sat Oct 13 09:05:42 2018
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.149 2018/08/09 18:44:13 snj Exp $
+# $NetBSD: Makefile,v 1.150 2018/10/13 09:05:42 leot Exp $
 
 .include "../../textproc/libxml2/Makefile.common"
 
-PKGREVISION=   2
+PKGREVISION=   3
 
 COMMENT=       XML parser library from the GNOME project
 LICENSE=       modified-bsd

Index: pkgsrc/textproc/libxml2/distinfo
diff -u pkgsrc/textproc/libxml2/distinfo:1.126 pkgsrc/textproc/libxml2/distinfo:1.127
--- pkgsrc/textproc/libxml2/distinfo:1.126      Thu Aug  9 18:44:13 2018
+++ pkgsrc/textproc/libxml2/distinfo    Sat Oct 13 09:05:42 2018
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.126 2018/08/09 18:44:13 snj Exp $
+$NetBSD: distinfo,v 1.127 2018/10/13 09:05:42 leot Exp $
 
 SHA1 (libxml2-2.9.8.tar.gz) = 66bcefd98a6b7573427cf66f9d3841b59eb5b8c3
 RMD160 (libxml2-2.9.8.tar.gz) = a3bf30ed652cfa2e06c64ae62c95a5ebd889c7a7
@@ -14,4 +14,4 @@ SHA1 (patch-python_libxml.py) = 869a72ae
 SHA1 (patch-python_libxml2.py) = 209d105b0f3aedb834091390a7c6819705108e34
 SHA1 (patch-python_setup.py) = 7771fd02ee6779463f1d3321f099d7e6d19cd1b1
 SHA1 (patch-xpath.c) = 9b9832e36e947598d8f5dade80181e82bff54a5c
-SHA1 (patch-xzlib.c) = eb20e3ef1504dacf1363f86c662918365306e84c
+SHA1 (patch-xzlib.c) = a9b4de24d844b9fee30988ae4dbdee950797fd0d

Index: pkgsrc/textproc/libxml2/patches/patch-xzlib.c
diff -u pkgsrc/textproc/libxml2/patches/patch-xzlib.c:1.3 pkgsrc/textproc/libxml2/patches/patch-xzlib.c:1.4
--- pkgsrc/textproc/libxml2/patches/patch-xzlib.c:1.3   Wed Jun 20 18:22:45 2018
+++ pkgsrc/textproc/libxml2/patches/patch-xzlib.c       Sat Oct 13 09:05:42 2018
@@ -1,17 +1,32 @@
-$NetBSD: patch-xzlib.c,v 1.3 2018/06/20 18:22:45 tez Exp $
+$NetBSD: patch-xzlib.c,v 1.4 2018/10/13 09:05:42 leot Exp $
 
-Fix for CVE-2018-9251 from https://bugzilla.gnome.org/show_bug.cgi?id=794914
+Fix for CVE-2018-9251 and CVE-2018-14567, upstream commit id
+2240fbf5912054af025fb6e01e26375100275e74:
 
---- xzlib.c.orig       2018-06-20 16:11:09.322482100 +0000
+ <https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74>
+
+--- xzlib.c.orig       2017-12-02 08:58:10.000000000 +0000
 +++ xzlib.c
-@@ -575,6 +575,10 @@ xz_decomp(xz_statep state)
-         } else                  /* state->how == LZMA */
- #endif
-             ret = lzma_code(strm, action);
-+        if (ret == LZMA_MEMLIMIT_ERROR) {
-+            xz_error(state, LZMA_MEMLIMIT_ERROR, "memory limit error");
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+                          "internal error: inflate stream corrupt");
+                 return -1;
+             }
++            /*
++             * FIXME: Remapping a couple of error codes and falling through
++             * to the LZMA error handling looks fragile.
++             */
+             if (ret == Z_MEM_ERROR)
+                 ret = LZMA_MEM_ERROR;
+             if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_PROG_ERROR, "compression error");
+             return -1;
+         }
++        if ((state->how != GZIP) &&
++            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++            xz_error(state, ret, "lzma error");
 +            return -1;
 +        }
-         if (ret == LZMA_MEM_ERROR) {
-             xz_error(state, LZMA_MEM_ERROR, "out of memory");
-             return -1;
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index