diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2014-05-22 13:03:54 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-05-22 13:03:54 +0000 |
commit | 13e59ed69b9459e1ef4534ee2f34e5f94fb99232 (patch) | |
tree | f52d3ef4b622ce325201c1045102a2a8f96c5b99 | |
parent | 39a0663834fda2690f8b749de369700e7d995fdd (diff) | |
download | aports-13e59ed69b9459e1ef4534ee2f34e5f94fb99232.tar.bz2 aports-13e59ed69b9459e1ef4534ee2f34e5f94fb99232.tar.xz |
main/libxml2: security fix for CVE-2014-0191
-rw-r--r-- | main/libxml2/APKBUILD | 12 | ||||
-rw-r--r-- | main/libxml2/CVE-2014-0191.patch | 36 |
2 files changed, 44 insertions, 4 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 1738e03964..bf66b8c061 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=libxml2 pkgver=2.9.1 -pkgrel=1 +pkgrel=2 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -13,6 +13,7 @@ makedepends="zlib-dev python-dev" subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils" source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz libxml2-pthread.patch + CVE-2014-0191.patch " options="!strip" @@ -66,8 +67,11 @@ utils() { } md5sums="9c0cfef285d5c4a5c80d00904ddab380 libxml2-2.9.1.tar.gz -cc0da520c5296e87407d24166480da73 libxml2-pthread.patch" +cc0da520c5296e87407d24166480da73 libxml2-pthread.patch +e6f432aea642badcb848e5791bcf6df7 CVE-2014-0191.patch" sha256sums="fd3c64cb66f2c4ea27e934d275904d92cec494a8e8405613780cbc8a71680fdb libxml2-2.9.1.tar.gz -97d5e152580774483c47b28483282a4180c2c375bb7716a807ec859e59c3ec2f libxml2-pthread.patch" +97d5e152580774483c47b28483282a4180c2c375bb7716a807ec859e59c3ec2f libxml2-pthread.patch +288a762e8b115cecc02d920e4b36ebfa5249b8a6713a1a948e344d881d094ea8 CVE-2014-0191.patch" sha512sums="7b10de749485bc2eb2108063e97d89e70d6fbb78b1bf195ab5528c8c64e79483d55223a49d95934f4e00b00e906c18bdd34344703ffe158dcf08096905a44c1b libxml2-2.9.1.tar.gz -bda49c5e09605acc2bb36203521f750903d81345cc38af54b977e3ce71e288267fb3ab98f1813d846ab45461490482337f7af8b0f1a8a5e0b2c09e03bbadc7f7 libxml2-pthread.patch" +bda49c5e09605acc2bb36203521f750903d81345cc38af54b977e3ce71e288267fb3ab98f1813d846ab45461490482337f7af8b0f1a8a5e0b2c09e03bbadc7f7 libxml2-pthread.patch +41b6737b5cfe6392e3d781ebde48db0bf221bde89701742408afe625a88a67f6f6aed5cf04c1983ba2e7e04c2d819a8011908d23060365225571691c5e61cf11 CVE-2014-0191.patch" diff --git a/main/libxml2/CVE-2014-0191.patch b/main/libxml2/CVE-2014-0191.patch new file mode 100644 index 0000000000..4d5fe1a7aa --- /dev/null +++ b/main/libxml2/CVE-2014-0191.patch @@ -0,0 +1,36 @@ +From 9cd1c3cfbd32655d60572c0a413e017260c854df Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 22 Apr 2014 15:30:56 +0800 +Subject: Do not fetch external parameter entities + +Unless explicitely asked for when validating or replacing entities +with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com> + +diff --git a/parser.c b/parser.c +index 9347ac9..c0dea05 100644 +--- a/parser.c ++++ b/parser.c +@@ -2598,6 +2598,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* ++ * Note: external parsed entities will not be loaded, it is ++ * not required for a non-validating parser, unless the ++ * option of validating, or substituting entities were ++ * given. Doing so is far more secure as the parser will ++ * only process data coming from the document entity by ++ * default. ++ */ ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ (ctxt->validate == 0)) ++ return; ++ ++ /* + * handle the extra spaces added before and after + * c.f. http://www.w3.org/TR/REC-xml#as-PE + * this is done independently. +-- +cgit v0.10.1 + |